Malware analysis Quotation.xls Malicious activity | ANY.RUN

Add for printing

File name:	Quotation.xls
Full analysis:	https://app.any.run/tasks/535b3abf-9570-41ab-b0da-6bbf4d1b287f
Verdict:	Malicious activity
Threats:	FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	November 09, 2023, 07:00:57
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	phishing phishing-pdf phishing-xls opendir exploit cve-2017-11882 loader formbook xloader stealer spyware trojan
Indicators:
MIME:	application/vnd.ms-excel
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 8 17:04:50 2023, Security: 1
MD5:	4A6C8B75271DFB2968FB511984FCDF56
SHA1:	607A5D42B94AA5362857F893F5FF12D8FE6B7DCB
SHA256:	CD1C9FAD93FDC00B3D2B34BB65D84029C5A8529B7EBA10B4922B503DCA449C74
SSDEEP:	49152:2TKsa0m3R5sAT1vNyUOF+4u3075/vKHI+cGQga0m3D5sAT1vNyUOF+4u3a75/vKj:173TsAq5/vKGL33VsA85/vKGLtriQaN3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Suspicious connection from the Equation Editor
  - EQNEDT32.EXE (PID: 2004)
- Uses Task Scheduler to run other applications
  - audiodgse.exe (PID: 980)
- FORMBOOK has been detected (YARA)
  - wlanext.exe (PID: 2660)
- FORMBOOK has been detected (SURICATA)
  - explorer.exe (PID: 1944)
- Connects to the CnC server
  - explorer.exe (PID: 1944)
- Actions looks like stealing of personal data
  - wlanext.exe (PID: 2660)
- Drops the executable file immediately after the start
  - audiodgse.exe (PID: 980)
  - EQNEDT32.EXE (PID: 2004)
- Equation Editor starts application (CVE-2017-11882)
  - EQNEDT32.EXE (PID: 2004)
SUSPICIOUS
- Reads the Internet Settings
  - EQNEDT32.EXE (PID: 2004)
  - audiodgse.exe (PID: 980)
  - wlanext.exe (PID: 2660)
- Process requests binary or script from the Internet
  - EQNEDT32.EXE (PID: 2004)
- Connects to the server without a host name
  - EQNEDT32.EXE (PID: 2004)
- Process drops legitimate windows executable
  - audiodgse.exe (PID: 980)
  - EQNEDT32.EXE (PID: 2004)
- Application launched itself
  - audiodgse.exe (PID: 980)
INFO
- Reads the computer name
  - EQNEDT32.EXE (PID: 2004)
  - audiodgse.exe (PID: 2220)
  - audiodgse.exe (PID: 980)
- Reads the machine GUID from the registry
  - EQNEDT32.EXE (PID: 2004)
  - audiodgse.exe (PID: 980)
- Checks supported languages
  - EQNEDT32.EXE (PID: 2004)
  - audiodgse.exe (PID: 980)
  - audiodgse.exe (PID: 2220)
- Checks proxy server information
  - EQNEDT32.EXE (PID: 2004)
- Creates files or folders in the user directory
  - EQNEDT32.EXE (PID: 2004)
  - audiodgse.exe (PID: 980)
  - wlanext.exe (PID: 2660)
- Create files in a temporary directory
  - audiodgse.exe (PID: 980)
- Manual execution by a user
  - autofmt.exe (PID: 2676)
  - autofmt.exe (PID: 2728)
  - autofmt.exe (PID: 2820)
  - autofmt.exe (PID: 2120)
  - wlanext.exe (PID: 2660)
  - autofmt.exe (PID: 1584)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Formbook

(PID) Process(2660) wlanext.exe

C2www.kilid102.cloud/bp31/

Strings (79)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

systray

audiodg

certmgr

autochk

taskhost

colorcpl

services

IconCache

ThumbCache

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)hp68b.top

rajawali99pkv.com

cisseoriginals.com

pedchain.com

affibook.com

nudtnrg.com

lems.cloud

tipozaa.store

theamalliance.com

massalit.com

houysdegsesag.top

eseventplanning.com

wxt82.xyz

supportonlineinfo.online

genee.store

nohu247.pro

cartx.store

acomunicacaorestaura.store

249b871ab7d2.info

surantools.com

funlazio.info

lynktag.com

turdfi.xyz

libgeninfo.com

smartagriafrica.info

nikkisellshouses2.com

natsellsatl.com

pg607.fun

kathinationindia.com

chonggonzalez.com

civitai.zone

unlimitednews.online

originswinery.com

byspektra.com

holisticstar.net

5vwl4z8.xyz

mx004.com

annuaire-brocante.com

getmangarock.com

my-chemicals.online

httpsaquexis.com

mavisnakliye.xyz

hemayah.live

lajtuf.com

soulguardgaming.com

hateyaocoeur.com

zloomux.com

haglove.stream

buybom.store

freeamateurzone.com

extremetechnology.shop

rabbitmobiles.com

myfertilitycoachuk.com

ledbrightled.com

blurwing.com

iptv-store.store

creditevangelists.com

zuwiz.com

gcgds.com

jumperspoods.com

lovletterstolife.store

socialpraises.net

bronessbros.com

souqshopper.com

No Malware configuration.

Add for printing

TRiD

.xls	\|	Microsoft Excel sheet (48)
.xls	\|	Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Title:	-
Subject:	-
Keywords:	-
Comments:	-
Template:	-
RevisionNumber:	1
Pages:	-
Words:	-
Characters:	-
ThumbnailClip:	(Binary data 22858 bytes, use -b option to extract)
Category:	-
PresentationTarget:	-
Manager:	-
Company:	-
Bytes:	-
Lines:	-
Paragraphs:	-
Slides:	-
Notes:	-
HiddenSlides:	-
MMClips:	-
CharCountWithSpaces:	-
KSOProductBuildVer:	2052-11.1.0.13703
ICV:	C30860BF318046A5BA3C67275852A6D2
Author:	-
LastModifiedBy:	-
Software:	Microsoft Excel
CreateDate:	2006:09:16 00:00:00
ModifyDate:	2023:11:08 17:04:50
Security:	Password protected
CodePage:	Windows Latin 1 (Western European)
AppVersion:	12
ScaleCrop:	No
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
TitleOfParts:	Sheet1 Sheet2 Sheet3
HeadingPairs:	Worksheets 3
CompObjUserTypeLen:	38
CompObjUserType:	Microsoft Office Excel 2003 Worksheet

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

980

"C:\Users\admin\AppData\Roaming\audiodgse.exe"

C:\Users\admin\AppData\Roaming\audiodgse.exe

—

EQNEDT32.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Share Wizard

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\roaming\audiodgse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll

1584

"C:\Windows\SysWOW64\autofmt.exe"

C:\Windows\SysWOW64\autofmt.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Auto File System Format Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\autofmt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

1628

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

—

wlanext.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

1944

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2004

"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

svchost.exe

User:

admin

Company:

Design Science, Inc.

Integrity Level:

MEDIUM

Description:

Microsoft Equation Editor

Exit code:

Version:

00110900

Modules

Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2120

"C:\Windows\SysWOW64\autofmt.exe"

C:\Windows\SysWOW64\autofmt.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Auto File System Format Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\autofmt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2220

"C:\Users\admin\AppData\Roaming\audiodgse.exe"

C:\Users\admin\AppData\Roaming\audiodgse.exe

—

audiodgse.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Share Wizard

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\roaming\audiodgse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2292

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NKApKNeU" /XML "C:\Users\admin\AppData\Local\Temp\tmp8108.tmp"

C:\Windows\SysWOW64\schtasks.exe

—

audiodgse.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2660

"C:\Windows\SysWOW64\wlanext.exe"

C:\Windows\SysWOW64\wlanext.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Wireless LAN 802.11 Extensibility Framework

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\wlanext.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Formbook

(PID) Process(2660) wlanext.exe

C2www.kilid102.cloud/bp31/

Strings (79)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

systray

audiodg

certmgr

autochk

taskhost

colorcpl

services

IconCache

ThumbCache

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)hp68b.top

rajawali99pkv.com

cisseoriginals.com

pedchain.com

affibook.com

nudtnrg.com

lems.cloud

tipozaa.store

theamalliance.com

massalit.com

houysdegsesag.top

eseventplanning.com

wxt82.xyz

supportonlineinfo.online

genee.store

nohu247.pro

cartx.store

acomunicacaorestaura.store

249b871ab7d2.info

surantools.com

funlazio.info

lynktag.com

turdfi.xyz

libgeninfo.com

smartagriafrica.info

nikkisellshouses2.com

natsellsatl.com

pg607.fun

kathinationindia.com

chonggonzalez.com

civitai.zone

unlimitednews.online

originswinery.com

byspektra.com

holisticstar.net

5vwl4z8.xyz

mx004.com

annuaire-brocante.com

getmangarock.com

my-chemicals.online

httpsaquexis.com

mavisnakliye.xyz

hemayah.live

lajtuf.com

soulguardgaming.com

hateyaocoeur.com

zloomux.com

haglove.stream

buybom.store

freeamateurzone.com

extremetechnology.shop

rabbitmobiles.com

myfertilitycoachuk.com

ledbrightled.com

blurwing.com

iptv-store.store

creditevangelists.com

zuwiz.com

gcgds.com

jumperspoods.com

lovletterstolife.store

socialpraises.net

bronessbros.com

souqshopper.com

2676

"C:\Windows\SysWOW64\autofmt.exe"

C:\Windows\SysWOW64\autofmt.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Auto File System Format Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\autofmt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

Add for printing

Total events

3 846

Read events

3 781

Write events

Delete events

Modification events


(PID) Process:	(1944) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A000000000200000000001066000000010000200000003A7AE26404D75DF41C31FF40C5EA8CE90BAF74FA9E9BD7A9ACA34C7048350C1E000000000E8000000002000020000000BD2D56D46506C12C41A6A70B10E79EE53CB79EF36FD2BA8CDD2460CB8F4BE86A300000009B5D1418CBF2EB49F3C4BD4C21D58CA55B82FA3D3ED08AF0EF59D6C7ECAFC1055FA323A80FF7C154B1C9B60253392B6640000000DED9FDCC168073324C3013F1BB125E066EB1A2F09FD2C8E7CC7A793AA992E21EF1C942BF7294D04E036428704009B863B1CB981B97312E2530E3E816780CF7C9
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: On
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1041
Value: On
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1042
Value: On
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1046
Value: On
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1036
Value: On
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1031
Value: On
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1040
Value: On
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1049
Value: On
(PID) Process:	(3020) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	3082
Value: On

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3020	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVRA5EB.tmp.cvr		—
		MD5:—	SHA256:—
3020	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\723AEABF.emf		binary
		MD5:A01B9617553432807B9B58025B338D97	SHA256:7A0426ED2E2349916969FF7087C0F76089FB8CE7F4627F3D11CCBC1AAEFCEDCE
3020	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69547440.emf		binary
		MD5:9ABE7EB352E0DB96B52C99AC2FDEA85F	SHA256:EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
2004	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\wininit[1].exe		executable
		MD5:1F061E24E82B471E201B57B67F446B7B	SHA256:F26EF2DC3870B6EE2F05973FCD97B1E55F817524EAC8BDBE6863E584C6CF2821
2660	wlanext.exe	C:\Users\admin\AppData\Roaming\87R83SQR\87Rlogrc.ini		binary
		MD5:E03F207A7B9CFC4D877ED2EC64BE028E	SHA256:B17183098B6E349844A3151456EDF62C8E41B2348D2445A610C0FF1E29963067
2660	wlanext.exe	C:\Users\admin\AppData\Roaming\87R83SQR\87Rlogrv.ini		binary
		MD5:BA3B6BC807D4F76794C4B81B09BB9BA5	SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
2660	wlanext.exe	C:\Users\admin\AppData\Roaming\87R83SQR\87Rlogri.ini		binary
		MD5:D63A82E5D81E02E399090AF26DB0B9CB	SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
980	audiodgse.exe	C:\Users\admin\AppData\Local\Temp\tmp8108.tmp		xml
		MD5:22061EB8AE4A7F814DF786DB3F16751D	SHA256:DD6755CBD9872E1D0F346C38E737A82FF81958E98A851F5AAD3B2FB5A4E4A3B9
1628	firefox.exe	C:\Users\admin\AppData\Roaming\87R83SQR\87Rlogrf.ini		binary
		MD5:2F245469795B865BDD1B956C23D7893D	SHA256:1662D01A2D47B875A34FC7A8CD92E78CB2BA7F34023C7FD2639CBB10B8D94361
3020	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\332D05B4.emf		binary
		MD5:1FCB3F34B5588F6A647A06DFF1811BF9	SHA256:A99E8172248DAC0B2A6243D06A862901989857B0C2ECBED5F25DDB0D1A95154E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2004	EQNEDT32.EXE	GET	200	103.29.3.200:80	http://103.29.3.200/W0811T/wininit.exe	unknown	executable	631 Kb	unknown
1944	explorer.exe	GET	403	23.227.38.74:80	http://www.cartx.store/bp31/?IR9D54=YY3hkksSpmZNVrvpWToIhkuRhCa/E2fI635LdZXTW2SMXfVd8QNIJleAP22QG9m1CzzRCQ==&4h=NTxxQJ9&sql=1	unknown	html	4.41 Kb	unknown
1944	explorer.exe	POST	—	23.227.38.74:80	http://www.cartx.store/bp31/	unknown	—	—	unknown
1944	explorer.exe	POST	—	23.227.38.74:80	http://www.cartx.store/bp31/	unknown	—	—	unknown
1944	explorer.exe	POST	—	23.227.38.74:80	http://www.cartx.store/bp31/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2004	EQNEDT32.EXE	103.29.3.200:80	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
1944	explorer.exe	23.227.38.74:80	www.cartx.store	CLOUDFLARENET	CA	unknown

DNS requests

Domain	IP	Reputation
www.cartx.store	23.227.38.74	unknown

Threats

PID	Process	Class	Message
2004	EQNEDT32.EXE	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2004	EQNEDT32.EXE	A Network Trojan was detected	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2004	EQNEDT32.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2004	EQNEDT32.EXE	A Network Trojan was detected	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2004	EQNEDT32.EXE	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
1944	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

Quotation.xls

4A6C8B75271DFB2968FB511984FCDF56

607A5D42B94AA5362857F893F5FF12D8FE6B7DCB

CD1C9FAD93FDC00B3D2B34BB65D84029C5A8529B7EBA10B4922B503DCA449C74

49152:2TKsa0m3R5sAT1vNyUOF+4u3075/vKHI+cGQga0m3D5sAT1vNyUOF+4u3a75/vKj:173TsAq5/vKGL33VsA85/vKGLtriQaN3

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Suspicious connection from the Equation Editor

Uses Task Scheduler to run other applications

FORMBOOK has been detected (YARA)

FORMBOOK has been detected (SURICATA)

Connects to the CnC server

Actions looks like stealing of personal data

Drops the executable file immediately after the start

Equation Editor starts application (CVE-2017-11882)

SUSPICIOUS

Reads the Internet Settings

Process requests binary or script from the Internet

Connects to the server without a host name

Process drops legitimate windows executable

Application launched itself

INFO

Reads the computer name

Reads the machine GUID from the registry

Checks supported languages

Checks proxy server information

Creates files or folders in the user directory

Create files in a temporary directory

Manual execution by a user

Malware configuration

Formbook

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Formbook

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings