Analysis Report IMG-50230.doc

Overview

General Information

Sample Name: IMG-50230.doc
Analysis ID: 344787
MD5: 447225e0d19daba3ebaa394a72b72318
SHA1: ade2804cac4b052d9fb2af635dd2b7e4dd960853
SHA256: 39e2a7aebe3542b3caf9fca72de467f409766056a29923042ec91c5140503409
Tags: doc

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Connects to a URL shortener service
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.2.AddInProcess32.exe.80000.0.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc6", "KEY1_OFFSET 0x1d737", "CONFIG SIZE : 0x103", "CONFIG OFFSET 0x1d83b", "URL SIZE : 35", "searching string pattern", "strings_offset 0x1c383", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x964e9058", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715032", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012162", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014d5", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04"
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.2140353140.0000000000081000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2140526407.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2360758305.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2112664832.0000000003B66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2112815271.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2140472679.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.AddInProcess32.exe.80000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-50230[1].pdf Joe Sandbox ML: detected
Source: C:\Users\Public\69577.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.AddInProcess32.exe.80000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, rundll32.exe
Source: Binary string: rundll32.pdb source: AddInProcess32.exe, 00000005.00000002.2140415734.00000000001C4000.00000004.00000020.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\69577.exe Code function: 4x nop then jmp 003AAFE3h 4_2_003AA810
Source: C:\Users\Public\69577.exe Code function: 4x nop then mov esp, ebp 4_2_003AF99F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop edi 5_2_00097CEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop edi 7_2_000E7CEF
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bit.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 67.199.248.11:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 67.199.248.11:80

Networking:

barindex
Connects to a URL shortener service
Source: unknown DNS query: name: bit.ly
Source: unknown DNS query: name: bit.ly
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.199.248.11 67.199.248.11
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /3iWebUT HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /3iWebUT HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi./IMG-50230.pdf HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: neuromedic.com.br
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{248D4A90-30CA-4646-ACFF-79FC9E14ADCB}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /3iWebUT HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /3iWebUT HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bit.lyConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi./IMG-50230.pdf HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: neuromedic.com.br
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2117611941.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: bit.ly
Source: explorer.exe, 00000006.00000000.2129984121.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2129984121.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2119295194.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 69577.exe, 00000004.00000002.2108804558.000000000045F000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.
Source: 69577.exe, 00000004.00000002.2111244695.0000000002268000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117611941.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2117611941.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000006.00000000.2117989946.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2117989946.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: 69577.exe, 00000004.00000002.2113865385.000000000536D000.00000004.00000001.sdmp String found in binary or memory: http://ns.ao
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: 69577.exe, 00000004.00000002.2111244695.0000000002268000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: 69577.exe, 00000004.00000002.2111244695.0000000002268000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: 69577.exe, 00000004.00000002.2111244695.0000000002268000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: 69577.exe, 00000004.00000002.2114089575.00000000059C0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2112769729.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: 69577.exe, 00000004.00000002.2111230551.0000000002241000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2119866665.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2117989946.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2118839472.0000000004297000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2117422118.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.icoz
Source: explorer.exe, 00000006.00000000.2117422118.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2129984121.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2119295194.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2117989946.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2129984121.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: 69577.exe, 00000004.00000002.2114089575.00000000059C0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2112769729.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2119295194.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2117611941.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117989946.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2119295194.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2117422118.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2117422118.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2117422118.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpXm
Source: explorer.exe, 00000006.00000000.2117611941.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2117422118.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2126009473.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117611941.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000006.00000000.2130246115.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000006.00000000.2118547561.00000000041AD000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.2126009473.000000000861C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.2125582334.0000000008471000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: 69577.exe, 00000004.00000002.2108823979.0000000000476000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: 69577.exe, 00000004.00000002.2111230551.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: 69577.exe, 00000004.00000002.2111230551.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com(
Source: 69577.exe, 00000004.00000002.2111230551.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.2140353140.0000000000081000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2140526407.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2360758305.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2112664832.0000000003B66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2112815271.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2140472679.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.AddInProcess32.exe.80000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2140353140.0000000000081000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2140353140.0000000000081000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2140526407.00000000004D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2140526407.00000000004D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2360758305.00000000000D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2360758305.00000000000D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2112664832.0000000003B66000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2112664832.0000000003B66000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2112815271.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2112815271.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2140472679.0000000000310000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2140472679.0000000000310000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.AddInProcess32.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.AddInProcess32.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-50230[1].pdf Jump to dropped file
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\69577.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\69577.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009A070 NtClose, 5_2_0009A070
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009A120 NtAllocateVirtualMemory, 5_2_0009A120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00099F40 NtCreateFile, 5_2_00099F40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00099FF0 NtReadFile, 5_2_00099FF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009A06C NtClose, 5_2_0009A06C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009A11C NtAllocateVirtualMemory, 5_2_0009A11C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00099F3B NtCreateFile, 5_2_00099F3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00099FEA NtReadFile, 5_2_00099FEA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008400C4 NtCreateFile,LdrInitializeThunk, 5_2_008400C4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00840048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00840048
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00840078 NtResumeThread,LdrInitializeThunk, 5_2_00840078
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083F9F0 NtClose,LdrInitializeThunk, 5_2_0083F9F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083F900 NtReadFile,LdrInitializeThunk, 5_2_0083F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0083FAD0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0083FAE8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0083FBB8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0083FB68
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0083FC90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0083FC60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0083FD8C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0083FDC0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0083FEA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0083FED0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0083FFB4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008410D0 NtOpenProcessToken, 5_2_008410D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00840060 NtQuerySection, 5_2_00840060
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008401D4 NtSetValueKey, 5_2_008401D4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0084010C NtOpenDirectoryObject, 5_2_0084010C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00841148 NtOpenThread, 5_2_00841148
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008407AC NtCreateMutant, 5_2_008407AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083F8CC NtWaitForSingleObject, 5_2_0083F8CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00841930 NtSetContextThread, 5_2_00841930
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083F938 NtWriteFile, 5_2_0083F938
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FAB8 NtQueryValueKey, 5_2_0083FAB8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FA20 NtQueryInformationFile, 5_2_0083FA20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FA50 NtEnumerateValueKey, 5_2_0083FA50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FBE8 NtQueryVirtualMemory, 5_2_0083FBE8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FB50 NtCreateKey, 5_2_0083FB50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FC30 NtOpenProcess, 5_2_0083FC30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00840C40 NtGetContextThread, 5_2_00840C40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FC48 NtSetInformationFile, 5_2_0083FC48
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00841D80 NtSuspendThread, 5_2_00841D80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FD5C NtEnumerateKey, 5_2_0083FD5C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FE24 NtWriteVirtualMemory, 5_2_0083FE24
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FFFC NtCreateProcessEx, 5_2_0083FFFC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0083FF34 NtQueueApcThread, 5_2_0083FF34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026500C4 NtCreateFile,LdrInitializeThunk, 7_2_026500C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026507AC NtCreateMutant,LdrInitializeThunk, 7_2_026507AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0264FAE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_0264FAD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0264FB68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264F900 NtReadFile,LdrInitializeThunk, 7_2_0264F900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264F9F0 NtClose,LdrInitializeThunk, 7_2_0264F9F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0264FED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0264FDC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02650060 NtQuerySection, 7_2_02650060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02650078 NtResumeThread, 7_2_02650078
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02650048 NtProtectVirtualMemory, 7_2_02650048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026510D0 NtOpenProcessToken, 7_2_026510D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02651148 NtOpenThread, 7_2_02651148
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0265010C NtOpenDirectoryObject, 7_2_0265010C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026501D4 NtSetValueKey, 7_2_026501D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FA50 NtEnumerateValueKey, 7_2_0264FA50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FA20 NtQueryInformationFile, 7_2_0264FA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FAB8 NtQueryValueKey, 7_2_0264FAB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FB50 NtCreateKey, 7_2_0264FB50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FBE8 NtQueryVirtualMemory, 7_2_0264FBE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FBB8 NtQueryInformationToken, 7_2_0264FBB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264F8CC NtWaitForSingleObject, 7_2_0264F8CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02651930 NtSetContextThread, 7_2_02651930
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264F938 NtWriteFile, 7_2_0264F938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FE24 NtWriteVirtualMemory, 7_2_0264FE24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FEA0 NtReadVirtualMemory, 7_2_0264FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FF34 NtQueueApcThread, 7_2_0264FF34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FFFC NtCreateProcessEx, 7_2_0264FFFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FFB4 NtCreateSection, 7_2_0264FFB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FC60 NtMapViewOfSection, 7_2_0264FC60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02650C40 NtGetContextThread, 7_2_02650C40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FC48 NtSetInformationFile, 7_2_0264FC48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FC30 NtOpenProcess, 7_2_0264FC30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FC90 NtUnmapViewOfSection, 7_2_0264FC90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FD5C NtEnumerateKey, 7_2_0264FD5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02651D80 NtSuspendThread, 7_2_02651D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0264FD8C NtDelayExecution, 7_2_0264FD8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000EA070 NtClose, 7_2_000EA070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000EA120 NtAllocateVirtualMemory, 7_2_000EA120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000E9F40 NtCreateFile, 7_2_000E9F40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000E9FF0 NtReadFile, 7_2_000E9FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000EA06C NtClose, 7_2_000EA06C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000EA11C NtAllocateVirtualMemory, 7_2_000EA11C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000E9F3B NtCreateFile, 7_2_000E9F3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000E9FEA NtReadFile, 7_2_000E9FEA
Contains functionality to launch a process as a different user
Source: C:\Users\Public\69577.exe Code function: 4_2_01FD11E0 CreateProcessAsUserW, 4_2_01FD11E0
Detected potential crypto function
Source: C:\Users\Public\69577.exe Code function: 4_2_01FD200A 4_2_01FD200A
Source: C:\Users\Public\69577.exe Code function: 4_2_01FC63AB 4_2_01FC63AB
Source: C:\Users\Public\69577.exe Code function: 4_2_01FC48A2 4_2_01FC48A2
Source: C:\Users\Public\69577.exe Code function: 4_2_003AB010 4_2_003AB010
Source: C:\Users\Public\69577.exe Code function: 4_2_003AA810 4_2_003AA810
Source: C:\Users\Public\69577.exe Code function: 4_2_003AE8F0 4_2_003AE8F0
Source: C:\Users\Public\69577.exe Code function: 4_2_003A04E8 4_2_003A04E8
Source: C:\Users\Public\69577.exe Code function: 4_2_003A7500 4_2_003A7500
Source: C:\Users\Public\69577.exe Code function: 4_2_003A5DD2 4_2_003A5DD2
Source: C:\Users\Public\69577.exe Code function: 4_2_003A52D8 4_2_003A52D8
Source: C:\Users\Public\69577.exe Code function: 4_2_003ABAC1 4_2_003ABAC1
Source: C:\Users\Public\69577.exe Code function: 4_2_003A8FC1 4_2_003A8FC1
Source: C:\Users\Public\69577.exe Code function: 4_2_003AF402 4_2_003AF402
Source: C:\Users\Public\69577.exe Code function: 4_2_003AB000 4_2_003AB000
Source: C:\Users\Public\69577.exe Code function: 4_2_003AE8EF 4_2_003AE8EF
Source: C:\Users\Public\69577.exe Code function: 4_2_003AE8E1 4_2_003AE8E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00812050 5_2_00812050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0008102F 5_2_0008102F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00081030 5_2_00081030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009E1CA 5_2_0009E1CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009D27D 5_2_0009D27D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00082D90 5_2_00082D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00089E3C 5_2_00089E3C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00089E40 5_2_00089E40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00082FB0 5_2_00082FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0084E0C6 5_2_0084E0C6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0087D005 5_2_0087D005
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00853040 5_2_00853040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0086905A 5_2_0086905A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008CD06D 5_2_008CD06D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0084E2E9 5_2_0084E2E9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008F1238 5_2_008F1238
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008F63BF 5_2_008F63BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0084F3CF 5_2_0084F3CF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008763DB 5_2_008763DB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00852305 5_2_00852305
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00857353 5_2_00857353
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0089A37B 5_2_0089A37B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00885485 5_2_00885485
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00861489 5_2_00861489
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008D443E 5_2_008D443E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0088D47D 5_2_0088D47D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0086C5F0 5_2_0086C5F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0085351F 5_2_0085351F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00896540 5_2_00896540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00854680 5_2_00854680
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0085E6C1 5_2_0085E6C1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008F2622 5_2_008F2622
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0089A634 5_2_0089A634
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008D579A 5_2_008D579A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0085C7BC 5_2_0085C7BC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008857C3 5_2_008857C3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008EF8EE 5_2_008EF8EE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0085C85C 5_2_0085C85C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0087286D 5_2_0087286D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008F098E 5_2_008F098E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008529B2 5_2_008529B2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008669FE 5_2_008669FE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008D394B 5_2_008D394B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008D5955 5_2_008D5955
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00903A83 5_2_00903A83
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008FCBA4 5_2_008FCBA4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0084FBD7 5_2_0084FBD7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008DDBDA 5_2_008DDBDA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00877B00 5_2_00877B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008EFDDD 5_2_008EFDDD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00880D3B 5_2_00880D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0085CD5B 5_2_0085CD5B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00882E2F 5_2_00882E2F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0086EE4C 5_2_0086EE4C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008ECFB1 5_2_008ECFB1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008C2FDC 5_2_008C2FDC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00860F3F 5_2_00860F3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0087DF7C 5_2_0087DF7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02701238 7_2_02701238
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0265E2E9 7_2_0265E2E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026AA37B 7_2_026AA37B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02667353 7_2_02667353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02662305 7_2_02662305
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0265F3CF 7_2_0265F3CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026863DB 7_2_026863DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_027063BF 7_2_027063BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02663040 7_2_02663040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0267905A 7_2_0267905A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0268D005 7_2_0268D005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0265E0C6 7_2_0265E0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02702622 7_2_02702622
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026AA634 7_2_026AA634
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0266E6C1 7_2_0266E6C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02664680 7_2_02664680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026957C3 7_2_026957C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0266C7BC 7_2_0266C7BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026E579A 7_2_026E579A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0269D47D 7_2_0269D47D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026E443E 7_2_026E443E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02695485 7_2_02695485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02671489 7_2_02671489
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026A6540 7_2_026A6540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0266351F 7_2_0266351F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0267C5F0 7_2_0267C5F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02713A83 7_2_02713A83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02687B00 7_2_02687B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0265FBD7 7_2_0265FBD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026EDBDA 7_2_026EDBDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0270CBA4 7_2_0270CBA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0268286D 7_2_0268286D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0266C85C 7_2_0266C85C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026FF8EE 7_2_026FF8EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026E394B 7_2_026E394B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026E5955 7_2_026E5955
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026769FE 7_2_026769FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026629B2 7_2_026629B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0270098E 7_2_0270098E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0267EE4C 7_2_0267EE4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02692E2F 7_2_02692E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0268DF7C 7_2_0268DF7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02670F3F 7_2_02670F3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026D2FDC 7_2_026D2FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026FCFB1 7_2_026FCFB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0266CD5B 7_2_0266CD5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02690D3B 7_2_02690D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026FFDDD 7_2_026FFDDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000EE1CA 7_2_000EE1CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000D2D90 7_2_000D2D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000D9E3C 7_2_000D9E3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000D9E40 7_2_000D9E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000D2FB0 7_2_000D2FB0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 161BCBF5F7D766B70ACE9CDF7B3B250D256AB601720F09F4183A1FA4F92DCF54
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0265DF5C appears 119 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0265E2A8 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 026A3F92 appears 132 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 026A373B appears 245 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 026CF970 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: String function: 0084DF5C appears 121 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: String function: 00893F92 appears 132 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: String function: 008BF970 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: String function: 0089373B appears 245 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: String function: 0084E2A8 appears 38 times
Yara signature match
Source: 00000005.00000002.2140353140.0000000000081000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2140353140.0000000000081000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2140526407.00000000004D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2140526407.00000000004D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2360758305.00000000000D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2360758305.00000000000D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2112664832.0000000003B66000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2112664832.0000000003B66000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2112815271.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2112815271.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2140472679.0000000000310000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2140472679.0000000000310000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.AddInProcess32.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.AddInProcess32.exe.80000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: explorer.exe, 00000006.00000000.2117611941.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@9/13@4/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$G-50230.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC467.tmp Jump to behavior
Source: C:\Users\Public\69577.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\69577.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\69577.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\69577.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: IMG-50230.doc Static file information: File size 1332844 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, rundll32.exe
Source: Binary string: rundll32.pdb source: AddInProcess32.exe, 00000005.00000002.2140415734.00000000001C4000.00000004.00000020.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\69577.exe Code function: 4_2_00838556 push esi; ret 4_2_0083855C
Source: C:\Users\Public\69577.exe Code function: 4_2_01FC05E6 pushfd ; iretd 4_2_01FC0613
Source: C:\Users\Public\69577.exe Code function: 4_2_01FC4B71 push es; iretd 4_2_01FC5094
Source: C:\Users\Public\69577.exe Code function: 4_2_01FC4E9A push es; iretd 4_2_01FC5094
Source: C:\Users\Public\69577.exe Code function: 4_2_01FC0A2A push ds; ret 4_2_01FC0A51
Source: C:\Users\Public\69577.exe Code function: 4_2_003ACDF4 push ecx; retf 4_2_003ACDF5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00812050 push es; ret 5_2_0081250A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009D095 push eax; ret 5_2_0009D0E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009D0EB push eax; ret 5_2_0009D152
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009D0E2 push eax; ret 5_2_0009D0E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009D90D push ebx; retf 5_2_0009D90F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009D14C push eax; ret 5_2_0009D152
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009653F push cs; iretd 5_2_0009654E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0009771B push eax; retf 5_2_00097732
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_000967E9 push ebx; ret 5_2_000967F3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0084DFA1 push ecx; ret 5_2_0084DFB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0265DFA1 push ecx; ret 7_2_0265DFB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000ED095 push eax; ret 7_2_000ED0E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000ED0EB push eax; ret 7_2_000ED152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000ED0E2 push eax; ret 7_2_000ED0E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000ED14C push eax; ret 7_2_000ED152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000E653F push cs; iretd 7_2_000E654E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000E771B push eax; retf 7_2_000E7732
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000E67E9 push ebx; ret 7_2_000E67F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_000ED90D push ebx; retf 7_2_000ED90F

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-50230[1].pdf Jump to dropped file
Source: C:\Users\Public\69577.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\IMG-50230[1].pdf Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\69577.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\Public\69577.exe File opened: C:\Users\Public\69577.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\69577.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\69577.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: 69577.exe PID: 2536, type: MEMORY
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 00000000000D98E4 second address: 00000000000D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 00000000000D9B5E second address: 00000000000D9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00089A90 rdtsc 5_2_00089A90
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\69577.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2332 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2372 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2728 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\Public\69577.exe TID: 2696 Thread sleep count: 197 > 30 Jump to behavior
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: VMware
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: explorer.exe, 00000006.00000002.2360960518.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2118650241.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2118741780.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: explorer.exe, 00000006.00000000.2118547561.00000000041AD000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: 69577.exe, 00000004.00000002.2112502917.0000000003251000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: explorer.exe, 00000006.00000002.2361009876.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Users\Public\69577.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_00089A90 rdtsc 5_2_00089A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_0008ACD0 LdrLoadDll, 5_2_0008ACD0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 5_2_008526F8 mov eax, dword ptr fs:[00000030h] 5_2_008526F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_026626F8 mov eax, dword ptr fs:[00000030h] 7_2_026626F8
Enables debug privileges
Source: C:\Users\Public\69577.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\69577.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\Public\69577.exe Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 80000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\69577.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 80000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 350000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\Public\69577.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 80000 Jump to behavior
Source: C:\Users\Public\69577.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 81000 Jump to behavior
Source: C:\Users\Public\69577.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\69577.exe C:\Users\Public\69577.exe Jump to behavior
Source: C:\Users\Public\69577.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' Jump to behavior
Source: explorer.exe, 00000006.00000002.2361185402.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.2361185402.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.2360960518.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.2361185402.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\69577.exe Queries volume information: C:\Users\Public\69577.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\69577.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.2140353140.0000000000081000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2140526407.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2360758305.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2112664832.0000000003B66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2112815271.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2140472679.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.AddInProcess32.exe.80000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.2140353140.0000000000081000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2140526407.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2360758305.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2112664832.0000000003B66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2112815271.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2140472679.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.AddInProcess32.exe.80000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344787 Sample: IMG-50230.doc Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Yara detected AntiVM_3 2->47 49 11 other signatures 2->49 10 EQNEDT32.EXE 13 2->10         started        15 WINWORD.EXE 291 26 2->15         started        process3 dnsIp4 37 67.199.248.11, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 10->37 39 neuromedic.com.br 177.70.106.69, 49166, 80 MandicSABR Brazil 10->39 41 bit.ly 10->41 33 C:\Users\user\AppData\...\IMG-50230[1].pdf, PE32 10->33 dropped 35 C:\Users\Public\69577.exe, PE32 10->35 dropped 69 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->69 17 69577.exe 12 3 10->17         started        file5 signatures6 process7 file8 31 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 17->31 dropped 51 Machine Learning detection for dropped file 17->51 53 Writes to foreign memory regions 17->53 55 Allocates memory in foreign processes 17->55 57 2 other signatures 17->57 21 AddInProcess32.exe 17->21         started        signatures9 process10 signatures11 59 Modifies the context of a thread in another process (thread injection) 21->59 61 Maps a DLL or memory area into another process 21->61 63 Sample uses process hollowing technique 21->63 65 2 other signatures 21->65 24 explorer.exe 21->24 injected process12 process13 26 rundll32.exe 24->26         started        signatures14 67 Tries to detect virtualization through RDTSC time measurements 26->67 29 cmd.exe 26->29         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
177.70.106.69
 unknown Brazil
262545 MandicSABR false
67.199.248.11
 unknown United States
396982 GOOGLE-PRIVATE-CLOUDUS true

Contacted Domains

Name IP Active
neuromedic.com.br 177.70.106.69 true
bit.ly 67.199.248.10 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://bit.ly/3iWebUT false
    		high