Loading ...

General Information

Analysis ID:27415
Start time:15:06:46
Start date:16/11/2012
Overall analysis duration:0h 3m 17s
Sample file name:IAF_Placement_Cell.doc
Cookbook file name:Ret Dump.jbs
Analysis system description:XP SP3 (Office 2003 SP1, Java 1.5.0, Acrobat Reader 8.1.2, Internet Explorer 6, Flash 10.1.82.76)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
SCAE enabled:true
SCAE success:false, ratio: 0%

Classification / Threat Score

Persistence, Installation, Boot Survival:
Hiding, Stealthiness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:

Matching Signatures

Behavior Signatures
Creates files inside the user directory
Creates temporary files
Queries a list of all running processes
Reads ini files
Spawns processes
Urls found in memory or binary data
Writes ini files
Creates mutexes\BaseNamedObjects\oleacc-msaa-loaded \BaseNamedObjects\Local\Mutex_MSOSharedMem \BaseNamedObjects\StiTraceMutexSti_Trace.log \BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-507921405-1960408961-839522115-500 \BaseNamedObjects\Local\Mso97SharedDg19531106360Mutex \BaseNamedObjects\Local\Mso97SharedDg20321106360Mutex \BaseNamedObjects\Global\WiaDebugFileMut \BaseNamedObjects\Local\Mso97SharedDg19521106360Mutex \BaseNamedObjects\OfficeAssistantStateMutex \BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-507921405-1960408961-839522115-500 \BaseNamedObjects\Local\Mso97SharedDg19211106360Mutex \BaseNamedObjects\Local\SqmSysTray
Drops PE files
Found strings which match to known bank urls
Found strings which match to known social media urls
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Performs DNS lookups
Queries the installation date of Windows
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Creates an autostart registry key
Creates and opens a fake document (probably a fake document to hide exploiting)
Detected shellcode (checkout the disassembly section)
Document exploit detected (droppes PE files)
Document exploit detected (performs DNS queries)
Document exploit detected (performs HTTP gets)
Document exploit detected (process start blacklist hit)
Document exploit detected (unknown TCP traffic)
Injects files into Windows applicationC:\Documents and Settings\Administrator\oslog.dll -> C:\Program Files\Internet Explorer\iexplore.exe
Maps a DLL or memory area into another process
NOP-sled detected (often used during heap spraying before exploitation)
Potential document exploit detected (Application instantly terminates)
Queues an APC in another process (thread injection)

Startup

  • system is xp2
  • WINWORD.EXE (PID: 1408 MD5: 5FEAF6AB43AA477597F9F8DB0E8CB69C)
    • iexproers.exe (PID: 1824 MD5: C8B452151FAA918DF8FA05D7A8E83646)
      • iexplore.exe (PID: 1536 MD5: 55794B97A7FAABD2910873C85274F409)
    • WINWORD.EXE (PID: 1524 MD5: 5FEAF6AB43AA477597F9F8DB0E8CB69C)
  • svchost.exe (PID: 1832 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
  • cleanup

Created / dropped Files

File PathMD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Wor.doc2909FE41599CC5B55882D5BEFEE328E4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexproers.exeC8B452151FAA918DF8FA05D7A8E83646
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~$Wor.docA0F4BD67F4388E1BC61D5DBB85D5650F
C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA\opa11.dat374016627E06A3871B86049B58D69058
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\MSO1033.acl2FE8FA8E0D8D4303B78F7976068FCC6E
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Temp.LNK5237FBAF5A94E284712223DD86D4057F
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Wor.doc.LNK20C34339CCB6ADBC853557F10BC07FF1
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat9420C1F7C501701E5417F7F8BA0AA433
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\CUSTOM.DICA8A040B900A54102E3D8DD8C458138A5
C:\Documents and Settings\Administrator\Application Data\Microsoft\Proof\~$CUSTOM.DIC14DB471136F215858C58BF88804266E3
C:\Documents and Settings\Administrator\Save7D93294924A249E8235C4CE4E1163AD3
C:\Documents and Settings\Administrator\UserSet.iniE5C7A2EFD9F9473FA552CDD41CADE399
C:\Documents and Settings\Administrator\oslog.dllD66B3734031A454DAC7C6ED7090121BD
C:\WINDOWS\wiadebug.logA0047B29C589000218667A0837F13C6A
C:\WINDOWS\wiaservc.log52284549ECA723A46FD0F2A75A3F6678
C:\~$F_Placement_Cell.docA63451504286E2B5602C56CF518685D7
\net\NtControlPipe1267118A81A9461CA93D1DCBD673828CFE
\samr5067EBD44F1FE02B05260E8E7C8823AE
\srvsvc00010789CF97BAA5F49E8C7BF0605D58

Contacted Domains

NameIPName ServerActiveRegistrare-Mail
timesofindia.8866.org182.242.233.174trueunknownunknown

Contacted IPs

IPCountryPingableOpen Ports
182.242.233.174CHINAtrue
195.186.1.121SWITZERLANDfalse
195.186.4.121SWITZERLANDfalse

Static File Info

File type:data
File name:IAF_Placement_Cell.doc
File size:355724
MD5:4c7ecf0a53aa4cc759961b840ae04a6e
SHA1:cb8092d4382090cf63474b52babbecc9dd8770cd
SHA256:e9b44cf9655a4c9fcbc1cb6c6f8aab9063bac9180b8813ee47947687852407f8
SHA512:4ee25501bff81524b936d445e09c193ebb250719b3bf3780ef3efee54191f8396556e0df81e7d6ff877d6404d416adc732a51f1edf64902436e1231168fa3066

String Analysis

URLs
String valueSource
ftp://ftp.microsoft.comWINWORD.EXE
http://a.ads2.msads.net/cis/11/000/000/000/022/056.jiexplore.exe
http://a.ads2.msads.net/cis/56/000/000/000/000/000.giexplore.exe
http://a.rad.msn.com/adsadclient31.dll?getsad=&dpjs=4&pn=msft&id=1be25b89169c67282f395932129c67da&muiexplore.exe
http://ad.doubleclick.net/ad/n6374.132541.msn.com/b5976918;sz=1x1;ord=189708926iexplore.exe
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/2373.1225.tk.177x20/9920374iexplore.exe
http://adobe.tt.omtrdc.net/m2/adobe/sc/standard?mboxhost=kb2.adobe.com&mboxsession=1327395957406-706iexplore.exe
http://ads1.msn.com/library/dapmsn.iexplore.exe
http://ads2.msads.net/cis/18/000/000/000/021/868.piexplore.exe
http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.iexplore.exe
http://amch.questionmarket.com/adsc/d944682/3/944772/randm.iexplore.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php%3fiexplore.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php&caiexplore.exe
http://api-public.addthis.com/url/shares.json?url=http%3a%2f%2fwww.oldapps.com&callback=_ate.cbs.sc_iexplore.exe
http://api.bing.com/qsonhs.aspx?form=msn005&iexplore.exe
http://api.demandbase.com/api/v2/ip.js?key=e4086fa3ea9d74ac2aae2719a0e5285dc7075d7b&var=s_dmdbase_v_iexplore.exe
http://apis.google.com/js/plusone.iexplore.exe
http://blst.msn.com/as/wea3/i/en-us/law/32.giexplore.exe
http://cache.oahermes.com/css/main_1.ciexplore.exe
http://cache.oahermes.com/css/oa.ciexplore.exe
http://cache.oahermes.com/css/style.ciexplore.exe
http://cache.oahermes.com/css/style1.ciexplore.exe
http://cache.oahermes.com/fancybox/blank.giexplore.exe
http://cache.oahermes.com/fancybox/fancy_close.piexplore.exe
http://cache.oahermes.com/fancybox/fancy_nav_left.piexplore.exe
http://cache.oahermes.com/fancybox/fancy_nav_right.piexplore.exe
http://cache.oahermes.com/fancybox/fancybox.piexplore.exe
http://cache.oahermes.com/image/arrow_green.giexplore.exe
http://cache.oahermes.com/image/arrow_grey.giexplore.exe
http://cache.oahermes.com/image/bg_midcon.giexplore.exe
http://cache.oahermes.com/image/bg_midconpr.piexplore.exe
http://cache.oahermes.com/image/dotted_bg.giexplore.exe
http://cache.oahermes.com/image/download.piexplore.exe
http://cache.oahermes.com/image/footer_bg.piexplore.exe
http://cache.oahermes.com/image/grey_tab.piexplore.exe
http://cache.oahermes.com/image/logo.piexplore.exe
http://cache.oahermes.com/image/mid_blackbg.giexplore.exe
http://cache.oahermes.com/image/mid_bottom.giexplore.exe
http://cache.oahermes.com/image/mid_cat_ind.giexplore.exe
http://cache.oahermes.com/image/mid_leftcorner.piexplore.exe
http://cache.oahermes.com/image/mid_rightcorner.piexplore.exe
http://cache.oahermes.com/image/midnv1.piexplore.exe
http://cache.oahermes.com/image/more.giexplore.exe
http://cache.oahermes.com/image/nav_1.giexplore.exe
http://cache.oahermes.com/image/oasprite2.piexplore.exe
http://cache.oahermes.com/image/os1.piexplore.exe
http://cache.oahermes.com/image/point.giexplore.exe
http://cache.oahermes.com/image/search.piexplore.exe
http://cache.oahermes.com/image/sep1.giexplore.exe
http://cache.oahermes.com/image/shadow.giexplore.exe
http://cache.oahermes.com/image/top_curve_midbottompr.piexplore.exe
http://cache.oahermes.com/image/top_curve_midcontpr.piexplore.exe
http://cache.oahermes.com/image/windowtab.piexplore.exe
http://cache.oahermes.com/images/input_bg_slice.piexplore.exe
http://cache.oahermes.com/images/open_new_window.piexplore.exe
http://cache.oahermes.com/js/custom01.iexplore.exe
http://cache.oahermes.com/softimg/pdf-logo.giexplore.exe
http://cdn.api.twitter.com/1/urls/count.json?url=http%3a%2f%2fwww.oldapps.com%2f&callback=twttr.receiexplore.exe
http://ch.questionmarket.com/w3c/audit2007/p3p_dynamiclogic.xmiexplore.exe
http://col.stb.s-msn.com/i/25/b339a1e8e65447642b9f0ddad0e.jiexplore.exe
http://col.stb.s-msn.com/i/26/d59641387bf748337c126ad1957c2.jiexplore.exe
http://col.stb.s-msn.com/i/30/24fdf2cd8be5e4cfb52e27f92bdef4.jiexplore.exe
http://col.stb.s-msn.com/i/37/423d8428977d46cc6ebfecc452b0d0.jiexplore.exe
http://col.stb.s-msn.com/i/3a/b0da1e93d2fae7a81098776a2efdfd.jiexplore.exe
http://col.stb.s-msn.com/i/3e/7cef4323cd2894f4fb6a6d5ae5aa9e.jiexplore.exe
http://col.stb.s-msn.com/i/55/f3731528f70d131f63b12e5ce4ce.jiexplore.exe
http://col.stb.s-msn.com/i/5a/a825aeb11f7fbaa1682967885b0bb.jiexplore.exe
http://col.stb.s-msn.com/i/65/cdab2f44a1591d2b308c20c6c15375.jiexplore.exe
http://col.stb.s-msn.com/i/6f/40e0e7b0930b1dfead9e668b98d6.jiexplore.exe
http://col.stb.s-msn.com/i/98/bc71769ba96df69cfe934397d8824a.jiexplore.exe
http://col.stb.s-msn.com/i/9d/5ee4ca92f2c86b9b7969e3851ff30.jiexplore.exe
http://col.stb.s-msn.com/i/9e/f415cf42cce232a2532ba451bef3.jiexplore.exe
http://col.stb.s-msn.com/i/a4/f1284a44194776bf5c17c6e522a529.jiexplore.exe
http://col.stb.s-msn.com/i/b7/eb75d45b8948f72ee451223e95a96.giexplore.exe
http://col.stb.s-msn.com/i/d0/4278717f7c190e446356444e97f5a.jiexplore.exe
http://col.stb.s-msn.com/i/d1/2a789319d730bbfee7294a39a8c679.jiexplore.exe
http://col.stb.s-msn.com/i/d2/61c2fc3513db668220918204e27.jiexplore.exe
http://col.stb.s-msn.com/i/d8/9e3c8db312445bb97be3c0469d3731.jiexplore.exe
http://col.stb.s-msn.com/i/e2/37ba92e210d341bfdbf4126422a3d2.giexplore.exe
http://col.stb.s-msn.com/i/e9/ae875fab1f44e47994f2fee50c187.jiexplore.exe
http://col.stb.s-msn.com/i/fd/c7a5cbf8b632766bf5188569661116.jiexplore.exe
http://col.stc.s-msn.com/br/sc/css/36/8c1ae01e8fd4f4408590d43df0f4e3.ciexplore.exe
http://col.stc.s-msn.com/br/sc/css/3c/e52849405b21b1b7b78858e8f94f2f.ciexplore.exe
http://col.stc.s-msn.com/br/sc/i/07/617475cf39bf6f5c0bd6ecb985335c.giexplore.exe
http://col.stc.s-msn.com/br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.giexplore.exe
http://col.stc.s-msn.com/br/sc/i/5f/5280118e68aedbc5821d17132a5340.giexplore.exe
http://col.stc.s-msn.com/br/sc/i/7d/7fda667169fb45760dd7152ddafd78.giexplore.exe
http://col.stc.s-msn.com/br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.giexplore.exe
http://col.stc.s-msn.com/br/sc/i/f8/614595fba50d96389708a4135776e4.giexplore.exe
http://col.stc.s-msn.com/br/sc/i/ff/adchoices_gif2.giexplore.exe
http://col.stc.s-msn.com/br/sc/i/icons/bing_websearch_2.jiexplore.exe
http://col.stj.s-msn.com/br/sc/js/51/anatm.iexplore.exe
http://col.stj.s-msn.com/br/sc/js/cf/ece838bdac41f565b1c59d87c4c9cf63.iexplore.exe
http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.iexplore.exe
http://community.adobe.com/help/badge/ionsupport.iexplore.exe
http://connect.facebook.net/en_us/all.iexplore.exe
http://crl.microsoft.com/pki/crl/products/codesignpca.crWINWORD.EXE
http://crl.verisign.com/thawtetimestampingca.crWINWORD.EXE
http://crl.verisign.com/tss-ca.crWINWORD.EXE
http://download-euro.oldapps.com/adobe_reader/adberdr812_en_us.eiexplore.exe
http://ec.atdmt.com/biexplore.exe
http://edge.quantserve.com/quant.iexplore.exe
http://feeds.feedburner.com/~fc/oldapps?bg=ff6600&fg=000000&animiexplore.exe
http://google.com/pagead/drt/iexplore.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=280&slotniexplore.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=60&slotnaiexplore.exe
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2739591798241468&output=html&h=600&slotniexplore.exe
http://googleads.g.doubleclick.net/pagead/drtiexplore.exe
http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmliexplore.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cicagicqzv7ypxdqahiyajii5h9ywd4r-iexplore.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cicagmdo7cc9vhdqahiyajiihogkdjt61iexplore.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cin76tkr2bqv2aeq0aiymaiycfin0jjcqpiexplore.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=ckjbp_hsivvsdbdqahiyajiiind9b_dwciexplore.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=cksvvrfn2tgqjaeq0aiymaiycpwvqa7rs7iexplore.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=clxtyc3fj4klugeq0aiymaiycnfy3iuegkiexplore.exe
http://googleads.g.doubleclick.net/pagead/imgad?id=colbhodsp-iarrduaxg8mgg2iu8vpliciexplore.exe
http://js.dmtry.com/antenna2.js?246_1807_36579_9&sz=300x2iexplore.exe
http://kb2.adobe.com/cps/155/tn_15507.htiexplore.exe
http://kb2.adobe.com/cps/css/feedbackbadge.ciexplore.exe
http://kb2.adobe.com/cps/css/kb2style.ciexplore.exe
http://kb2.adobe.com/cps/ssi/assets/jquery-1.5.1.min.iexplore.exe
http://kb2.adobe.com/cps/ssi/assets/jquery.query.iexplore.exe
http://kb2.adobe.com/cps/ssi/assets/search_button.piexplore.exe
http://kb2.adobe.com/css/support/cps.ciexplore.exe
http://kb2.adobe.com/include/img/truste_seal_eu.giexplore.exe
http://kb2.adobe.com/lib/com.adobe/hover.hiexplore.exe
http://kb2.adobe.com/uber/js/omniture/mbox.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe/cookie.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe/globalfooter.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe/pane/screen.ciexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe/screen/tag-title.ciexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe/tabnav/tabzen.ciexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe/tree.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe/u/adaptcustommouse.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/adobe/u/link.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/lib/animator.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/lib/sifr3-r419/css/sifr-print.ciexplore.exe
http://kb2.adobe.com/ubi/template/identity/lib/sifr3-r419/css/sifr-screen.ciexplore.exe
http://kb2.adobe.com/ubi/template/identity/lib/style-nurse.hiexplore.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/invoke/fire_sifr.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/screen/content-header.sifr.ciexplore.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/tree/print.ciexplore.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/tree/white.ciexplore.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/xnav.iexplore.exe
http://kb2.adobe.com/ubi/template/identity/product.cs4/xnav/screen.ciexplore.exe
http://mediacdn.disqus.com/1322687430/build/system//defaults.ciexplore.exe
http://mediacdn.disqus.com/1322687430/build/system/def.htiexplore.exe
http://mediacdn.disqus.com/1322687430/build/system/disqus.jiexplore.exe
http://mediacdn.disqus.com/1322687430/build/system/embed.iexplore.exe
http://mediacdn.disqus.com/1322687430/build/system/reply.htiexplore.exe
http://mediacdn.disqus.com/1322687430/build/themes/dsq7884a9652e94555c70f96b6be63be216.csiexplore.exe
http://mediacdn.disqus.com/1322687430/build/themes/dsq7884a9652e94555c70f96b6be63be216.jiexplore.exe
http://mediacdn.disqus.com/1322687430/images/noavatar32.piexplore.exe
http://mediacdn.disqus.com/1322687430/images/themes/houdini/backgrounds-sprite.piexplore.exe
http://mediacdn.disqus.com/1322687430/images/themes/narcissus/dsq-loader-dark.giexplore.exe
http://mediacdn.disqus.com/1322687430/images/toolbar/toolbar-bg.piexplore.exe
http://mediacdn.disqus.com/1322687430/images/toolbar/toolbar-sprite-2.0.piexplore.exe
http://mediacdn.disqus.com/1322687430/js/dist/lib.iexplore.exe
http://moneycentral.msn.com/investor/external/excel/quotes.asp?symbol=5cannotWINWORD.EXE
http://moneycentral.msn.com/redir/moneycentralredirect.asp?pageid=smarttag_1&target=/scripts/webquotWINWORD.EXE
http://moneycentral.msn.com/redir/moneycentralredirect.asp?pageid=smarttag_2&target=/investor/researWINWORD.EXE
http://moneycentral.msn.com/redir/moneycentralredirect.asp?pageid=smarttag_3&target=http://news.moneWINWORD.EXE
http://oa-comments.disqus.com/embed.iexplore.exe
http://oa-comments.disqus.com/thread.js?url=http%3a%2f%2fwww.oldapps.com%2fadobe_reader.php%3fold_adiexplore.exe
http://ocsp.verisign.coWINWORD.EXE
http://office.microsoft.comWINWORD.EXE
http://office.microsoft.com/smarttags/stockupdate.xWINWORD.EXE
http://officeupdate.microsoft.comWINWORD.EXE
http://oldapps.coiexplore.exe
http://oldapps.com/betasearch.php?cx=007779823686351122034%3ai7o_lb6edjm&cof=forid%3a9&ie=utf-8&q=aciexplore.exe
http://oldapps.com/favicon.iiexplore.exe
http://p4.fsuqxtdj4673q.i6pflvtd7ttkkl76.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/iframe.htiexplore.exe
http://p4.fsuqxtdj4673q.i6pflvtd7ttkkl76.if.v4.ipv6-exp.l.google.com/intl/en/ipv6/exp/redir.htiexplore.exe
http://pagead2.googlesyndication.com/pagead/abglogo/adc-en-100c-000000.piexplore.exe
http://pagead2.googlesyndication.com/pagead/expansion_embed.iexplore.exe
http://pagead2.googlesyndication.com/pagead/images/ad_choices_en.piexplore.exe
http://pagead2.googlesyndication.com/pagead/images/ad_choices_i.piexplore.exe
http://pagead2.googlesyndication.com/pagead/js/graphics.iexplore.exe
http://pagead2.googlesyndication.com/pagead/js/r20111110/r20110914/abg.iexplore.exe
http://pagead2.googlesyndication.com/pagead/js/r20111110/r20110914/show_ads_impl.iexplore.exe
http://pagead2.googlesyndication.com/pagead/render_ads.iexplore.exe
http://pagead2.googlesyndication.com/pagead/show_ads.iexplore.exe
http://pagead2.googlesyndication.com/pagead/sma8.iexplore.exe
http://platform.twitter.com/js/xd/jsonrpc.iexplore.exe
http://platform.twitter.com/js/xd/parent.iexplore.exe
http://platform.twitter.com/widgets.iexplore.exe
http://platform.twitter.com/widgets/hub.htiexplore.exe
http://platform.twitter.com/widgets/images/tweet.dfbf1dd98bad9f5b5addd80494650dca.piexplore.exe
http://platform.twitter.com/widgets/tweet_button.htiexplore.exe
http://r.office.microsoft.com/r/rlidsmarttagproperties?clid=10WINWORD.EXE
http://r.office.microsoft.com/r/rlidsmarttagproperties?clid=1033WINWORD.EXE
http://rad.msn.com/adsadclient31.dll?getsad=&dpjs=4&pn=msft&id=1be25b89169c67282f395932129c67da&muidiexplore.exe
http://s1.2mdn.net/viewad/2809226/1x1.giexplore.exe
http://s7.addthis.com/js/250/addthis_widget.iexplore.exe
http://s7.addthis.com/js/250/plugin.sharecounter.iexplore.exe
http://s7.addthis.com/static/r07/counter71.ciexplore.exe
http://s7.addthis.com/static/r07/sh69.htiexplore.exe
http://s7.addthis.com/static/r07/widget35_32x32.piexplore.exe
http://s7.addthis.com/static/r07/widget71.ciexplore.exe
http://s7.addthis.com/static/r07/widgetbig71.ciexplore.exe
http://s7.addthis.com/static/t00/nsc01.giexplore.exe
http://s7.addthis.com/static/t00/tbc02.giexplore.exe
http://schemas.microsoft.com/office/smarttags/20WINWORD.EXE
http://schemas.microsoft.com/office/smarttags/2003/mosWINWORD.EXE
http://schemas.microsoft.com/office/smarttags/2003/mostlWINWORD.EXE
http://schemas.openxmlformats.org/drawingml/2006/mainWINWORD.EXE, Wor.doc.dr
http://screenshots.oahermes.com/10/small_1_adobe_raeder-9.piexplore.exe
http://screenshots.oahermes.com/10/small_2_adobe_raeder-9-tools.piexplore.exe
http://screenshots.oahermes.com/10/small_3_adobe_raeder-9-about.piexplore.exe
http://screenshots.oahermes.com/10/small_41_adobe%20reader%208.1.2-about.piexplore.exe
http://screenshots.oahermes.com/10/small_42_adobe%20reader%208.1.2-main-window.piexplore.exe
http://screenshots.oahermes.com/10/small_43_adobe%20reader%208.1.2-tools.piexplore.exe
http://static.ak.fbcdn.net/rsrc.php/v1/y7/r/ql9vukdcc4r.piexplore.exe
http://static.ak.fbcdn.net/rsrc.php/v1/yc/r/3vr-wui-xma.ciexplore.exe
http://static.ak.fbcdn.net/rsrc.php/v1/yh/r/2y3yodppa_k.iexplore.exe
http://support.microsoft.com/support/misc/kblookup.asp?id=q3025WINWORD.EXE
http://tps30.doubleverify.com/visit.gif?ctx=965891&cmp=1113445&sid=772433&plc=123456&adid=&dvtagver=iexplore.exe
http://www.adobe.com/images/shared/download_buttons/get_flash_player.giexplore.exe
http://www.bing.com/partner/primedns.giexplore.exe
http://www.bing.com/s/as/899538/en.iexplore.exe
http://www.google-analytics.com/ga.iexplore.exe
http://www.google.ch/extern_js/f/cgjkzricy2grmeu4acwrmfo4acwrma44acwrmbc4acwrmdw4acwrmfe4acwrmao4ajoiexplore.exe
http://www.google.ch/extern_js/f/cgjkzricy2grmfo4acwrma44acwrmao4ajocamhllcswgdgaliacujacza/i-5po2l6iexplore.exe
http://www.google.ch/images/mgyhp_sm.piexplore.exe
http://www.google.ch/images/nav_logo_hp2.piexplore.exe
http://www.google.ch/images/srpr/nav_logo80.piexplore.exe
http://www.google.ch/intl/en_com/images/srpr/logo1w.piexplore.exe
http://www.google.ch/search?hl=de&source=hp&q=flashiexplore.exe
http://www.google.ch/url?q=http://kb2.adobe.com/cps/155/tn_15507.html&sa=u&ei=jg80t6pwkmkp8aozwog_agiexplore.exe
http://www.google.comiexplore.exe
http://www.google.com/adsense/search/ads.js?viexplore.exe
http://www.google.com/afsonline/show_afs_search.iexplore.exe
http://www.google.com/cse/api/branding.ciexplore.exe
http://www.google.com/cse/style/look/default.ciexplore.exe
http://www.google.com/cse?cx=007779823686351122034%3ai7o_lb6edjm&cof=forid%3a9&ie=utf-8&q=acrobatiexplore.exe
http://www.google.com/cse?q=acrobat%20reader&client=google-coop&hl=en&r=s&cx=007779823686351122034%3iexplore.exe
http://www.google.com/jsaiexplore.exe
http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657iexplore.exe
http://www.google.com/uds/?file=ads&v=3&packages=search&asynciexplore.exe
http://www.google.com/uds/?file=search&viexplore.exe
http://www.google.com/uds/api/ads/3.0/727076703967082c2c700dd75598e13c/search.i.iexplore.exe
http://www.google.com/uds/api/ads/3.0/727076703967082c2c700dd75598e13c/search.in.iexplore.exe
http://www.google.com/uds/api/search/1.0/80172cf7a55bd7af40ed212a27aba261/defaultiexplore.exe
http://www.google.com/uds/gwebsearch?callback=google.search.websearch.rawcompletion&rsz=filtered_cseiexplore.exe
http://www.google.com/uds/stats?r0=afs_render&u_his=2&u_tz=-480&dt=1322772175029&u_w=792&u_h=660&bs=iexplore.exe
http://www.google.com/url?q=http://www.oldapps.com/adobe_reader.php&sa=u&ei=y-vxtq2lc8e78gph9nxjdq&viexplore.exe
http://www.googleadservices.com/pagead/p3p.xmliexplore.exe
http://www.iafpc.co.inWor.doc.dr
http://www.iafpc.co.in/Wor.doc.dr
http://www.microsoft.com/isapi/redir.dll?prd=&sbp=&plcid=&pver=&os=&over=&olcid=&clcid=&ar=&sba=&o1=WINWORD.EXE
http://www.microsoft.com/netmeeting/.WINWORD.EXE
http://www.msn.coiexplore.exe
http://www.officenet.net/WINWORD.EXE
http://www.oldapps.com/adobe_reader.piexplore.exe
http://www.oldapps.com/adobe_reader.php?app=9940256ca2663d6cd21f6704b564c5iexplore.exe
http://www.oldapps.com/adobe_reader.php?old_adobe=iexplore.exe
http://www.oldapps.com/adobe_reader.php?old_adobe=17?downloiexplore.exe
http://www.oldapps.com/favicon.iiexplore.exe
http://www.w3.org/WINWORD.EXE
http://www.w3.org/2001/schema-instanceWINWORD.EXE
http://wwwimages.adobe.com/uber/js/omniture_s_code.iexplore.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/close.piexplore.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/region_black.piexplore.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/region_blue.piexplore.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/sitefooter/tile_fat_8bit.piexplore.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/siteheader/arrow_dark.piexplore.exe
http://wwwimages.adobe.com/ubi/template/identity/adobe/screen/siteheader/cart_dark.piexplore.exe
http://wwwimages.adobe.com/www.adobe.com/images/shared/download_buttons/get_flash_player.giexplore.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/module/productselector/gvascript.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/module/searchbuddy.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/template/search/buddy/screen.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/urlparser.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/carousel/noscript.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/globalnav.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/modal.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/print.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/common.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/data.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gfooter.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gfooter_override.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/gnav.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/icon.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/icon/search.giexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/layout.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/list.menu.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/evidon.piexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_acrobat.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_creativeiexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_digipub.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_flashseriexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_mobile.piexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_omnitureiexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/sitefooter/icon_photoshoiexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/icon_search_miexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/info.piexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/logo.piexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/search.piexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/siteheader/sh_divider.piexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/star.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/wcms.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/prototype.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/sifr3-r419/flash/myriad-semi-boldiexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/sifr3-r419/js/source/sifr.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/style-nurse.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/swfobject.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/lib/swfobject.addon.iexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen.css?whiiexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/gfooter_override.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/gnav_override.ciexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/screen/no-pocket.css?whiiexplore.exe
http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/product.cs4/xnav/noscript.ciexplore.exe
https://apis.google.com/js/plusone.iexplore.exe
https://googleads.g.doubleclick.net/pagead/drt/si?p=caa&ut=afakxlqaaaaattfuxi4tmhrc-kjskin8shs2ap-vniexplore.exe
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmliexplore.exe
https://plus.google.com/_/apps-static/_/js/widget/gcm_ppbiexplore.exe
https://plus.google.com/_/apps-static/_/js/widget/googleapis_clientiexplore.exe
https://plusone.google.com/_/apps-static/_/js/plusone/p1biexplore.exe
https://plusone.google.com/_/apps-static/_/ss/plusone/ver=27trch45rjpg/am=iexplore.exe
https://ssl.gstatic.com/s2/oz/images/stars/po/publisher/sprite.piexplore.exe
https://timesofindia.8866.org/3000f30a0000f0fd020031003200350034003300350037003300380036000000000000iexplore.exe
Bank names
String valueSource
' prevent it from being applied to this XML file.The file could not be opened because an XML element was found in an invalid location.XML markup cannot be inserted in the specified location.You cannot set permission in linked textbox.You cannot merge these documents because document protection is in effect.Permission to this document is currently restricted. If you want to insert content from this document into a document with frames, remove restrictions to this document, and try again.Permission to print to a file is restricted. If you want to print this document, clear the "Print to file" check box, and print to a printer.You must specify the text for the custom validation error.Cannot print this file. Permission to the file is currently restricted.Cannot merge documents. Permission for one or both of the documents is currently restricted.You cannot insert a section break here because this section contains regions that you are not allowed to edit.You have exceeded the maximum number of pages supported by Microsoft Office Word.A schema for the specified namespace has already been registered.This schema cannot be used because it attempts to declare a namespace reserved by Word.System policy prevents loading the XML expansion pack manifests. Please contact your administrator.This object model command is not available in Wordmail mode.Word has disabled XML support for this document because it detected that your computer has become unstable. To correct this problem, it is recommended that you close all applications and restart your computer.This document cannot be validated because no XML schemas are attached to it.This command is unavailable because the document is password-protected and the current selection includes content that cannot be modified.This command is not available outside of the fax mail envelope.Some of the files used by the XML expansion pack are in use and could not be updated. Restart the application or computer to complete the installation. Contact your administrator for further information.The solution cannot be removed because of insufficient memory or permissions. For more information, contact your administrator.The XML expansion pack you installed cannot be used with your current user interface language. Use Microsoft Office Language Settings in Microsoft Office Tools (Start menu) to switch to a different user interface language, or contact your administrator.This XML element cannot be removed because it is not a child of the specified element.There was a problem with the digital certificate. VBA project in the file equals www.regions.com (Regions Bank)WINWORD.EXE
' style cannot be modified or deleted because it is used in protected regions of this document.Problems with XSL transform equals www.regions.com (Regions Bank)WINWORD.EXE
7Use A&utoFormat&Schedules...View &Group Schedules...&Custom...&VerbDashS&peak Cells&Stop SpeakingBy &RowsBy &ColumnsSpeak On &EnterShow &Text To Speech Toolbar&Text&Image&HTML&Word&Excel&PowerPoint&Access&FrontPageTr&anslateSave as Web P&age...&New Inline Frame Page&Contents&From File...I&nsert RowsInsert Column&sTools on the We&b...&OrderRo&tate&Open&Delete&Close&Fill Effects...HTML Cod&e Fragment...&Outlook&Publisher&Hide IconsClear C&ustom OrderingFilter B&y Selection&Remove&Group ItemsU&ngroup Items&Drill OutManage &Indexes...Check Accessi&bility...&Web Component...Print What:Show/Hide &GridA&dd-Ins...&Mark CompleteRemove &FilterInde&xes / KeysRelations&hipsCo&nstraintsCopy Dia&gram to ClipboardNew &Photo Album...&Photo Album...&Show Calendar DetailsS&cale DrawingS&cale Organization ChartS&cale DiagramRelative t&o Organization ChartRelative t&o Diagram&Microsoft Visio Drawing&Microsoft Visio Template&Microsoft Visio Stencil&Microsoft Visio Add-On&Microsoft Visio&Microsoft Visio&Microsoft Visio&Microsoft Visio&Microsoft Visio&Microsoft Visio&Create publication from templateProper&tiesFrom &Scanner or Camera...&Color SeparationsMo&ve out of Text Flow HereCo&py out of Text Flow Here&Repair fontsFi&x Broken Text...&Data File Management...Mailbo&x Cleanup...Make This Folder Available &OfflineStart Microsoft Solution De&signerAll &GroupsAscending &by TotalDescending by &TotalMicrosoft Solution DesignerMicrosoft Office Document Imaging&Copy Effects to Slide&View Slide MasterPublish as Web Si&te...Tracing &Image...Show &Ruler&Pixels&Centimeters&InchesP&ointsDr&aw Layout Cell&Export...&Import...&Increase Indent&Decrease IndentMa&ke Body TextS&how Ink Groups&Protect Document...&Regions:&Select&Remove editable region&Manage Editable Regions...&Attach Dynamic Web Template...&Detach from Dynamic Web Template&Slice ImageSelect Parent Ta&gSelect C&hild&Master Templates&Open Attached Dynamic Web TemplateOptimize &HTML...Update &Selected PageUpdate All &PagesUpdate All Pages Attached to &Selected Template&Update Attached Pages equals www.regions.com (Regions Bank)WINWORD.EXE
Highlight the regions I can ed equals www.regions.com (Regions Bank)WINWORD.EXE
Insert &Vertical Layout CellInsert &Horizontal Layout CellViewOptions...Remote Web Site Properties...&Export...&Import...&Apply to Current Page (|0)&Apply to Current Pages (|0-|1)&Ignore master page on...New Master PageDuplicate Master PageRename Master PageDelete Master PageClose &Master View&Layout guidesApply &Master Page...Apply Mast&er Page...&Find next region this user can edit&Show all regions this user can edit&Remove all editing permissions for this user&Thumbnails&FilmstripSingle &Picture&DetailsFile &Name&DateFile &TypeFile &SizeShow File &Names&White ScreenView &Task Bar&Export XDT Data...&Select TagFind M&atching TagSelect &Block&Increase Indent&Decrease Indent&Smart Document Pane&Red Flag&Blue Flag&Yellow Flag&Green Flag&Orange FlagP&urple Flag&Red Flag as Default&Blue Flag as Default&Yellow Flag as Default&Green Flag as Default&Orange Flag as DefaultP&urple Flag as Default&Add Reminder...Insert Layout &Cell...Insert L&ayout Table&Web Part Properties...Web Part &Zone Properties...&Site Gallery...&Personal catalog...Insert Web Par&t...Change Single-Page/Two-page&Change to Single-page&Change to Two-page&Layout Guides...Object Depe&ndencies...&Out To Lunch&On The Phone&Be Right Back&Bullets and Numbering...Change Picture &File Type...Sh&ow Pictures ToolbarReset Si&zeResa&mple&Sort and Group...Show &Ink Annotations&Draw ink&Eraser&Hilight Ink&SenstivityToggle &XML Tag ViewTile&sLevel &1Level &2Level &3Level &4Level &5Level &6Level &7Level &8Level &9Level 1&0&AllLevel &1Level &2Level &3Level &4Level &5Level &6Level &7Level &8Level &9Level 1&0&AllAd&just Outline StructureExpand &All&Collapse All&More...Begin a new &list here&Search...Find &Options...&List all MatchesE&xit FindNote FlagNote FlagNote FlagNote Flag&More Handwriting...&Mark Note Flag&Clear Note Flag&Remove Note Flag&All&Page&Section&Folder&Hide IP/SelectionNew Se&ctionNew &Folder&Pen&Selection Tool&EraserExtra Writi&ng Space&Group&Ungroup&Remove&Edit HTML Code Fragment...Insert C&olumnD&elete Column&Propagate changes to all related documents&Delete SchemaSave to SharePo&int...&Promoted Properties&Dynamic UI&SectionsS&ubmitting Forms...&NewNo ListGrid &Options...Text &Box&Rich Text Area&Static Text&Check Box&List BoxDrop-Dow&n List Box&BlockRepeatin&g Table...Con&vert&Add...&Delete&Properties...Microsoft Script &Editor...&Data Formatting...&Suggestion&Suggestion&Suggestion&Suggestion&Suggestion&Suggestion&Suggestion&Suggestion&Suggestion&SuggestionRemote &Web Site&Layout TableLayout Ta&bles and Cells...&Ink&Insert New Row&Attachment&Pending changes&Sort and Filter&Pop-up AlertMessage to &Cell PhonePlay a &Sound...&Delete Message&Edit All Rule Settings...&Arrange By&AttachmentsCat&egories&ConversationCusto&m...&DateFla&gFo&lder&FromSho&w in Groups&Importance&SizeSub&ject&ToT&ype&Schema Library&Edit Annotation&Delete Annotation&Themes&Shared BordersStyle Sheet &Links...T&heme...Shared Bor&ders...&Export...&Borders and Shading...&(Recently Used Files)&(Recently Used Files)&(Recently Used Files)&(Recently Used Files)&(Recently Used Files)&(Recently Used Files)&(Recently Used Files)&(Recently Used Files)&(Recently Used Files)&(Recently Used Files)&HomeTable P&roperties...&(Column Name)Data &Source...Cell F&ormatting...Beha&viors...S&haringE&ncoding...&128&256&384&512&1,000&1,500Save A&llPa&ge Setup...&AutoFit to ContentsLa&yer properties...Insert &Ink Comment&Delete All Ink AnnotationsW&eb Page Options...&Web Page Options...Con&vert Handwriting to Text&Convert Handwriting to TextContinue Previous Paragrap&h&Insert Writing Guides&Drawing&Handwriting&Unlink List&Publish List...Loo&k Up...&Alternate ViewRe&size...Pac&kage for CD...C&ompress Pictures...Delete &Page&Design...C&lose Other CalendarsSelect Tag &Contents&New From Existing Page&Quick Tag EditorCompare Side &by Side with...Ink &Comment&Show Image&Configure...Show &GridS&nap to Grid&Configure...Reset &Origin&Set Origin From SelectionMovie in F&lash Format...Movie in &Flash Format Properties...&Click to resolve conflictsShared Wor&kspace...&Toggle Follow Up Icon&Next&PreviousCustomer &Feedback Optio equals www.regions.com (Regions Bank)WINWORD.EXE
Show All Regions I Can Ed equals www.regions.com (Regions Bank)WINWORD.EXE
To prevent losing that content by overwriting the original file, it is recommended that you save this document under a different file name now.Some of the regions you can edit overlap, and it is not possible to show them at the same time. Use the 'Find Next Region I Can Edit' button to show each region individually.The template this document is using cannot be updated. Close all open documents, delete the XML expansion pack associated with this document (Tools menu, Templates and Add-Ins, XML Expansion Packs tab), and then reopen this document.This document has an XML expansion pack attached. To view this document in multiple windows, you must first remove the XML expansion pack.You are currently viewing this document in multiple windows. To attach an XML expansion pack, you must first close all additional windows so that you are viewing the document in only one window.Applying a data view to open the file. equals www.regions.com (Regions Bank)WINWORD.EXE
WINTRUST.d equals www.wintrust.com (Wintrust Financial Corporation)iexproers.exe, iexplore.exe
wintrust.d equals www.wintrust.com (Wintrust Financial Corporation)iexproers.exe, iexplore.exe
Social media names
String valueSource
http://cdn.api.twitter.com/1/urls/count.json?url=http%3A%2F%2Fwww.oldapps.com%2F&callback=twttr.receiveCou equals www.twitter.com (Twitter)iexplore.exe
http://connect.facebook.net/en_US/all. equals www.facebook.com (Facebook)iexplore.exe
http://platform.twitter.com/js/xd/jsonrpc. equals www.twitter.com (Twitter)iexplore.exe
http://platform.twitter.com/js/xd/parent. equals www.twitter.com (Twitter)iexplore.exe
http://platform.twitter.com/widgets. equals www.twitter.com (Twitter)iexplore.exe
http://platform.twitter.com/widgets/hub.ht equals www.twitter.com (Twitter)iexplore.exe
http://platform.twitter.com/widgets/images/tweet.dfbf1dd98bad9f5b5addd80494650dca.p equals www.twitter.com (Twitter)iexplore.exe
http://platform.twitter.com/widgets/tweet_button.ht equals www.twitter.com (Twitter)iexplore.exe
VM Artifacts
String valueSource
\??\C:\WINDOWS\system32\VBoxService.eWINWORD.EXE
\??\C:\WINDOWS\system32\VBoxTray.eWINWORD.EXE
SCSI\DISK&VEN_VMWARE_&PROD_VMWARE_VIRTUAL_S&REV_1.0\4&5FCAAFC&0&0svchost.exe
SCSI\DISK&VEN_VMWARE_&PROD_VMWARE_VIRTUAL_S&REV_1.0\4&5FCAAFC&1&0svchost.exe
ROOT\LEGACY_VMHGFS\00svchost.exe
ROOT\LEGACY_VMSCSI\00svchost.exe
ROOT\LEGACY_VMWAREAUTH\00svchost.exe
IDE\CDROMNECVMWAR_VMWARE_IDE_CDR10_______________1.00____\30313030303030303030303030303030303031svchost.exe
ROOT\LEGACY_VBOXSF\00svchost.exe
AV process names
String valueSource
UFSEAGNT.EXEiexproers.exe.dr
AVGNT.EXEiexproers.exe.dr
BDAGENT.EXEiexproers.exe.dr
DefWatch.exeiexproers.exe.dr
DEFWATCH.EXEiexproers.exe.dr

Network Behavior

TCP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 15:08:09.870642900 CET6068853192.168.0.13195.186.1.121
Nov 16, 2012 15:08:10.865355968 CET6068853192.168.0.13195.186.4.121
Nov 16, 2012 15:08:11.682883978 CET5360688195.186.1.121192.168.0.13
Nov 16, 2012 15:08:11.807435989 CET5360688195.186.4.121192.168.0.13
Nov 16, 2012 15:08:12.158058882 CET1097443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:12.158087015 CET4431097182.242.233.174192.168.0.13
Nov 16, 2012 15:08:12.158436060 CET1097443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:12.489115000 CET1097443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:12.489131927 CET4431097182.242.233.174192.168.0.13
Nov 16, 2012 15:08:19.295723915 CET4431097182.242.233.174192.168.0.13
Nov 16, 2012 15:08:19.296173096 CET1097443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:19.512276888 CET1097443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:19.512291908 CET4431097182.242.233.174192.168.0.13
Nov 16, 2012 15:08:19.533919096 CET1098443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:19.533943892 CET4431098182.242.233.174192.168.0.13
Nov 16, 2012 15:08:19.534131050 CET1098443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:19.537558079 CET1098443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:19.537587881 CET4431098182.242.233.174192.168.0.13
Nov 16, 2012 15:08:19.537612915 CET4431098182.242.233.174192.168.0.13
Nov 16, 2012 15:08:19.537792921 CET1098443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:20.548932076 CET1099443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:20.548955917 CET4431099182.242.233.174192.168.0.13
Nov 16, 2012 15:08:20.549354076 CET1099443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:20.555640936 CET1099443192.168.0.13182.242.233.174
Nov 16, 2012 15:08:20.555655003 CET4431099182.242.233.174192.168.0.13
Nov 16, 2012 15:09:27.261501074 CET4431099182.242.233.174192.168.0.13
Nov 16, 2012 15:09:27.261902094 CET1099443192.168.0.13182.242.233.174
Nov 16, 2012 15:09:27.307167053 CET1099443192.168.0.13182.242.233.174
Nov 16, 2012 15:09:27.307183027 CET4431099182.242.233.174192.168.0.13
Nov 16, 2012 15:09:27.413491964 CET1100443192.168.0.13182.242.233.174
Nov 16, 2012 15:09:27.413516998 CET4431100182.242.233.174192.168.0.13
Nov 16, 2012 15:09:27.413897038 CET1100443192.168.0.13182.242.233.174
Nov 16, 2012 15:09:27.431852102 CET1100443192.168.0.13182.242.233.174
Nov 16, 2012 15:09:27.431883097 CET4431100182.242.233.174192.168.0.13
Nov 16, 2012 15:09:27.431910038 CET4431100182.242.233.174192.168.0.13
Nov 16, 2012 15:09:27.432248116 CET1100443192.168.0.13182.242.233.174
UDP Packets
TimestampSource PortDest PortSource IPDest IP
Nov 16, 2012 15:08:09.870642900 CET6068853192.168.0.13195.186.1.121
Nov 16, 2012 15:08:10.865355968 CET6068853192.168.0.13195.186.4.121
Nov 16, 2012 15:08:11.682883978 CET5360688195.186.1.121192.168.0.13
Nov 16, 2012 15:08:11.807435989 CET5360688195.186.4.121192.168.0.13
ICMP Packets
TimestampSource IPDest IPChecksumCodeType
Nov 16, 2012 15:08:11.807795048 CET192.168.0.13195.186.4.1218636(Port unreachable)Destination Unreachable
DNS Queries
TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Nov 16, 2012 15:08:09.870642900 CET192.168.0.13195.186.1.1210xcd37Standard query (0)timesofindia.8866.orgA (IP address)IN (0x0001)
Nov 16, 2012 15:08:10.865355968 CET192.168.0.13195.186.4.1210xcd37Standard query (0)timesofindia.8866.orgA (IP address)IN (0x0001)
DNS Answers
TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Nov 16, 2012 15:08:11.682883978 CET195.186.1.121192.168.0.130xcd37No error (0)timesofindia.8866.org182.242.233.174A (IP address)IN (0x0001)
Nov 16, 2012 15:08:11.807435989 CET195.186.4.121192.168.0.130xcd37No error (0)timesofindia.8866.org182.242.233.174A (IP address)IN (0x0001)

Code Manipulation Behavior

System Behavior

General
Start time:10:12:46
Start date:24/01/2012
Path:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x30000000
File size:12047560 bytes
MD5 hash:5FEAF6AB43AA477597F9F8DB0E8CB69C
General
Start time:10:12:59
Start date:24/01/2012
Path:C:\WINDOWS\system32\svchost.exe
Wow64 process (32bit):false
Commandline:unknown
Imagebase:0x1000000
File size:14336 bytes
MD5 hash:27C6D03BCDB8CFEB96B716F3D8BE3E18
General
Start time:10:13:10
Start date:24/01/2012
Path:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexproers.exe
Wow64 process (32bit):false
Commandline:iexproers.exe
Imagebase:0x400000
File size:167936 bytes
MD5 hash:C8B452151FAA918DF8FA05D7A8E83646
General
Start time:10:13:11
Start date:24/01/2012
Path:C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):false
Commandline:C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:0x400000
File size:93184 bytes
MD5 hash:55794B97A7FAABD2910873C85274F409
General
Start time:10:13:12
Start date:24/01/2012
Path:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Wow64 process (32bit):false
Commandline:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Wor.doc
Imagebase:0x7c900000
File size:12047560 bytes
MD5 hash:5FEAF6AB43AA477597F9F8DB0E8CB69C

Disassembly

Shellcode Analysis

APIs
  • SetFilePointer.KERNEL32, ref: 00126784
  • SetCurrentDirectoryA.KERNEL32, ref: 001267A4
  • CreateFileA.KERNEL32, ref: 001267B9
  • GlobalAlloc.KERNEL32, ref: 001267CD
  • ReadFile.KERNEL32, ref: 001267E1
  • WriteFile.KERNEL32, ref: 001267F9
  • CloseHandle.KERNEL32, ref: 001267FF
  • WinExec.KERNEL32, ref: 00126807
  • SetFilePointer.KERNEL32, ref: 00126816
  • CreateFileA.KERNEL32, ref: 0012682E
  • ReadFile.KERNEL32, ref: 00126843
  • WriteFile.KERNEL32, ref: 00126861
  • CloseHandle.KERNEL32, ref: 00126867
  • CloseHandle.KERNEL32, ref: 0012686D
  • WinExec.KERNEL32, ref: 0012689C
  • ExitProcess.KERNEL32, ref: 001268A2
AddressValue
12692fiexproers.exe

Code Analysis